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PROTECTION OF PRIVACY IN THE DHS 
INTELLIGENCE ENTERPRISE 
PART I 


Thursday, April 6, 2006 

U.S. House of Representatives, 

Committee on Homeland Security, 
Subcommittee on Intelligence, Information 
Sharing and Terrorism Risk Assessment, 

Washington, DC. 

The subcommittee met, pursuant to call, at 9:20 a.m., in Room 
311, Cannon House Office Building, Hon. Rob Simmons [chairman 
of the subcommittee] presiding. 

Present: Representatives Simmons, Gibbons, Dent, Brown-Waite, 
Lofgren, and Thompson. 

Mr. Simmons. [Presiding.] The subcommittee will be meeting 
today to hear testimony on the protection of privacy in the Depart- 
ment of Homeland Security Intelligence Enterprise. 

We will be hearing testimony from four witnesses today. Our 
first panel, we will hear from Ms. Maureen Cooney, acting chief 
privacy officer of the Department of Homeland Security. 

On our second panel, we will hear from Mr. Kirk Herath, chief 
privacy officer and associate general counsel at the Nationwide In- 
surance Companies; Mr. Jonathan Turley, Shapiro professor of 
Public Interest Law at the George Washington University Law 
School; and Lieutenant General Patrick Hughes, vice president of 
Homeland Security at L-3 Communications. 

And I thank all of our panelists for coming today. 

The right to privacy is implicit in the Fourth Amendment right 
of the people to be secure in their persons, houses, papers and ef- 
fects against unreasonable searches and seizures, and it shall not 
be violated. 

It is embedded in the founding ideals of this nation. Justice Wil- 
liam O. Douglas, in Griswold v. Connecticut, wrote that the right 
to privacy is “older than the Bill of Rights, older than our political 
parties.” 

We are all acutely aware of the privacy issues facing the govern- 
ment today, especially as the president and Congress work to de- 
fend America against those who wish to commit mass murder. 

And I remind my colleagues and others of a passage in the 9/11 
Commission report, which states, “We learned that the institutions 
charged with protecting our borders, civil aviation and national se- 
curity did not understand how grave this threat could be and did 
not adjust their polices, plans and practices to deter or defeat it. 

( 1 ) 
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We learned of fault lines within our government between the for- 
eign and domestic intelligence and between and within agencies. 
We learned of the pervasive problems of managing and sharing in- 
formation across large and unwieldy government that has been 
built in a different era to confront different dangers. We hope that 
the terrible losses chronicled in this report can create something 
positive — an America that is safer, stronger and wiser.” 

And, indeed, the creation of the Department of Homeland Secu- 
rity was a response to that effort to create something positive, 
something safer, stronger and wiser, but at the same time, some- 
thing that respects our Constitution and our Bill of Rights and the 
rights that are detailed therein. 

The House Permanent Select Committee on Intelligence is lead- 
ing the effort to examine the NSA Terrorist Surveillance Program, 
and the House Judiciary Committee is taking a close look at the 
Foreign Intelligence Surveillance Act. Speaking for myself, I sup- 
port both of those committee initiatives. 

We are here today to ensure that the Department of Homeland 
Security is also paying proper attention to privacy matters at the 
department and the department’s intelligence activities. 

The Department of Homeland Security has a legally mandated 
duty to protect the privacy of U.S. persons in the course of its intel- 
ligence work and in its information collection activities. However, 
just 2 days ago, the General Accounting Office issued a report stat- 
ing that federal agencies, including DHS, lacked polices that spe- 
cifically address their use of personal information from commercial 
sources. 

Ms. Cooney, I hope you will be able to address some of these 
issues for us in your testimony today. 

While DHS receives information from commercial sources, it also 
receives information from intelligence and law enforcement commu- 
nities as through the regulatory screening activities of the depart- 
ment. 

This information is vital to America’s border security, critical in- 
frastructure protection, transportation security, and a number of 
other security activities. Gathering, processing, analyzing and shar- 
ing information intelligence will be vital to preventing the next at- 
tack on our homeland. We must ensure, however, that the depart- 
ment protects the privacy of the American people while also pro- 
tecting them from terrorist attack. 

The chair now recognizes the ranking minority member of the 
committee, the gentlelady from California, Ms. Lofgren, for any 
statement she might wish to make. 

Ms. Lofgren. Thank you, Mr. Chairman. 

Welcome, Ms. Cooney, and also Mr. Harris and Mr. Turley. 

I appreciate being recognized for this statement. Our topic is pri- 
vacy rights. I think the elephant in the room is the issue of the 
NSA Warrantless Eavesdropping Program. NSA eavesdropping is 
an important issue for the subcommittee to address under its over- 
sight responsibilities over intelligence and information sharing 
techniques. 

The Bush administration has failed repeatedly to give Congress 
meaningful answers about this eavesdropping program, and the 
Congress so far has failed to hold it accountable through oversight. 
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The administration seems unwilling to provide Congress with the 
information it needs to conduct its proper oversight role. 

I have tried to secure information about this Warrantless Eaves- 
dropping Program. I have asked the Department of Defense and 
the Department of Justice to investigate this program, but they 
have declined. 

I asked President Bush to direct that a special council be ap- 
pointed to investigate. He has not answered the letter, but through 
his press secretary, declined. 

To date, press reports are all the information about this program 
that members of Congress and the public have. Congress should 
not accept this. 

One serious question about this Warrantless Eavesdropping Pro- 
gram is whether it complies with the law. This subcommittee 
should get an answer to that question. 

Whenever possible, it is important to work in a bipartisan fash- 
ion. Indeed, 2 weeks ago, the chairman and I produced a legislation 
jointly, and I think we set a land-speed record for a subcommittee 
markup. It is not comfortable or enjoyable to be critical when you 
sit next to somebody on a frequent basis and hope to work with 
them, but the hope for comity can never be an excuse for ducking 
the need to take action. 

As a ranking member, I cannot and do not control the agenda of 
our subcommittee. The chairman sets the agenda. I have sought to 
have this committee discharge its oversight responsibility in the 
matter of the NSA through written request by staff, written re- 
quest by myself, as well as personal conversations, but these efforts 
resulted in today’s hearing that will not serve as the needed over- 
sight of the NSA Warrantless Surveillance Program. 

I tried to secure a witness from the NSA to testify today, and as 
part of the record, I ask unanimous consent to place material about 
this in the record of this hearing. 

Mr. Simmons. Without objection, so ordered. 

Ms. Lofgren. Thank you. 

I appreciate that Professor Turley is here today to testify about 
the NSA Eavesdropping Program. I thank him for his testimony, 
which I have reviewed. His observations about the administration’s 
legal claims in support of this program are important, and it is 
viewed the administration’s legal claims present risks, not only for 
our intelligence gathering process, but also for our constitutional 
separation of powers are significant. 

While I am thankful to have Professor Turley’s testimony. Con- 
gress needs to hear more than legal arguments from scholars about 
9iis program. We need to do our oversight job and find out what 
is actually going on by calling the witnesses who have direct knowl- 
edge of what the government is actually doing. 

There is only one intelligence subcommittee as the Homeland Se- 
curity Committee and we are it. We cannot get thorough informa- 
tion on the NSA Eavesdropping Program without a government 
witness with firsthand knowledge about it. 

So today is a lost opportunity for this subcommittee. But today, 
actually right now, the attorney general of the United States is tes- 
tifying before the House Judiciary Committee. The attorney gen- 
eral knows all about the NSA program and is in a position to an- 
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swer questions about it. I don’t know if he will, but the opportunity 
to question him about what he knows about the NSA program is 
a far sight more promising than what we will have allowed this 
hearing to be. 

So I will excuse myself now to see whether the attorney general 
will permit the Congress to discharge its oversight obligations. 
With regrets, the structure of this hearing ensures that we will not 
succeed in that mission in this subcommittee today. 

And I would also like to present to the chair a letter from the 
minority pursuant to Rule 2M. We are seeking an additional hear- 
ing. 

Thank you, Mr. Chairman. I am going to go see Mr. Gonzales. 

Mr. Simmons. Normally, I would yield to the distinguished rank- 
ing member of the committee, but the ranking member of the sub- 
committee has made a few statements that I would have to respond 
to. 

This subcommittee has had this civil rights and privacy hearing 
on the schedule for some time, and we have been open to any wit- 
nesses that the minority would submit to us. 

It is my understanding that the individual that the ranking 
member refers to could not make it today, and so in a bipartisan 
fashion, we extended to the minority the opportunity of introducing 
that information into the record at a later date and holding the 
record open, which I thought was a fair proposal. 

We also offered to postpone this hearing to a later date. 

Ms. Lofgren. That is incorrect, sir. 

Mr. Simmons. Well, that is what I suggested to my staff. We also 
discussed the issue of recessing and reconvening. So from my per- 
spective, at least from where I sit, every effort has been made to 
make this a productive hearing. 

It is very disappointing to me to hear a prepared statement 
typed and prepared, obviously, in advance, and only to receive it 
here on the record. That to me is a disappointing thing to have to 
experience, but I guess I can say that in my experience on the Hill, 
both as a staffer on the Senate Intelligence Committee for 4 years 
and in my 5 years as a member of Congress, doing my best to pro- 
vide bipartisan oversight. I have encountered disappointments. 

Ms. Lofgren. If I will just — 

Mr. Simmons. If the lady would allow me to finish my statement. 

Ms. Lofgren. Certainly. 

Mr. Simmons. I have encountered those disappointments, and I 
will not allow those disappointments to prevent me from continuing 
to conduct the activities of this subcommittee in a bipartisan fash- 
ion to the best of my ability. 

And now the chair would like to recognize the distinguished 
ranking member of the full committee, Mr. Bennie Thompson of 
Mississippi. The gentleman is recognized. 

Mr. Thompson. Thank you, Mr. Chairman. In the interest of 
being fair and balanced, I will yield my time to the ranking mem- 
ber for a response. 

Ms. Lofgren. And I thank the ranking member. I would just 
note that I have now served in Congress for a little over 11 years, 
and I have never encountered a situation such as this in those 11 
years. The NSA is reluctant to testify. They need to be ordered to 
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testify by, not the ranking member because I lack that power, but 
by the chairman. 

We have endeavored to secure that. We have asked for — perhaps 
the chairman did order his staff to delay. They have refused our 
staff the opportunity. So I don’t want to get in a he-said-she-said. 
There is no point in that. But I am severely disappointed that we 
have failed to discharge our oversight hearing. I will always work 
in a bipartisan way when there is an opportunity. 

In the last Congress, Mr. Thornberry and I actually almost meld- 
ed our staffs. We didn’t have a majority and minority report at the 
end of the Congress. We had one report. I hope that we can do that 
again this year, but so far, I had to conclude that we may not 
achieve that level of success. That is not the topic here today. 

I will just say, this is an opportunity — was an opportunity to dis- 
charge the oversight obligations that we have as the Intelligence 
Subcommittee over the NSA. We will not accomplish that in this 
subcommittee today, and I think that is a disappointment. Perhaps 
we will remedy that in the future. And if so, I will eagerly be a 
participant with the chairman. 

And I would yield back to the ranking member, and I will now 
adjourn to the attorney general. 

Mr. Thompson. Thank you very much. 

Reclaiming my time, Mr. Chairman. 

I am pleased that the committee is turning its attention to the 
question of privacy protections in the department’s Intelligence En- 
terprise. The Privacy Office has done a tremendous job in making 
privacy an integral part of the department’s various initiatives and 
technology program. 

The more often we respect privacy from the beginning, the more 
likely expensive department programs won’t have to be canceled for 
ignoring this cherished right. Respecting privacy makes good busi- 
ness sense. 

While I look forward to Ms. Cooney’s testimony about how pri- 
vacy should inform the department intelligence process, I note that 
she could do her job more effectively if she had more powers. 

I believe that the privacy officer must be able to access all the 
records and speak to all the people she needs to in order to conduct 
truly effective privacy impact assessments. To boost her independ- 
ence, moreover, the privacy officer should serve a set term and 
should be able to report her findings to Congress directly rather 
than having to rely on an internal review process at the depart- 
ment that has often resulted in delays. 

As one observer has noted, while a truly vigorous and inde- 
pendent privacy officer can be inconvenient for government officials 
over the short term, over the long run, vigorous checks and bal- 
ances will strengthen the Department of Homeland Security by in- 
spiring greater public confidence in DHS programs. This is espe- 
cially important in an intelligence context. 

As a recently publicized NSA Domestic Surveillance Program has 
demonstrated, there must be effective oversight within agencies 
and by Congress itself in order to ensure that the war on terror 
does not also become a war on privacy and other civil liberties. 

I hope all the witnesses, including Professor Turley, will address 
this issue so we can learn more about what the department might 
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do to guard against the kinds of abuses we have seen with the NSA 
and what steps Congress should take to ensure that the NSA pro- 
gram does not undermine the public support for our efforts to se- 
cure the homeland. 

Welcome to our witnesses. 

And I yield back, Mr. Chairman. 

Mr. Simmons. I thank the gentleman for his statement. And I as- 
sure him that one of the purposes of this hearing is to learn how 
the privacy office is performing its duties, and if, in fact, issues 
that are currently in regulation need to be in statute. It would be 
our responsibility to act positively in that fashion. 

Mr. Gibbons. Mr. Chairman, parliamentary inquiry. 

Mr. Simmons. Yes, Mr. Gibbons? 

Mr. Gibbons. Mr. Chairman, would you tell me what the juris- 
diction of this committee is? Do we have jurisdiction over NSA? 

Mr. Simmons. I have discussed that with the parliamentarian of 
the House of Representatives, and I have been told that we do not. 

Mr. Gibbons. I had objected to, in addition, of Ms. Lofgren’s let- 
ters regarding her request on NSA to the committee. And I would 
say that as a concept of jurisdictional oversight that comments 
about this committee’s failure to bring NSA before it certainly lacks 
our jurisdiction, and I would hope that my objection to the addition 
of Ms. Lofgren’s letters regarding NSA to this committee would 
stand. 

Mr. Simmons. I appreciate the gentleman’s comment. 

In January of this year, I did write to the chair and ranking 
members of the intelligence committee and asked permission to 
have access to the information within their committee dealing with 
the National Security Surveillance Program. 

That permission was not granted, and at the time, I was told 
that the House of Representatives would pursue oversight of those 
activities through the two committees which have jurisdiction, 
which are the Intelligence Committee and the Judiciary Com- 
mittee. 

So that fact is well known, and the ranking member of the sub- 
committee does know that the Judiciary Committee on which she 
serves has jurisdiction. 

Mr. Gibbons. I had voiced my objection at the time the letter 
was admitted, but I did not get a response out of you, so I would 
just state for the record that I did object to her inclusion of that 
letter. 

Mr. Simmons. The objection is heard, and without objection, it is 
sustained. 

Mr. Thompson. Excuse me, Mr. Chairman. By sustaining the ob- 
jection, what are you saying? 

Mr. Simmons. The subcommittee, a few moments ago, agreed by 
unanimous consent to include a letter into the record from, I be- 
lieve, an individual from the National Security Agency. I do not 
know what that letter is. Nobody on the subcommittee knows what 
that letter is, or at least not on this side. 

The gentleman from Nevada has expressed an objection to in- 
cluding that letter in the record now that he knows more about it. 

Am I correct, Mr. Gibbons? 
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Mr. Gibbons. That is absolutely correct, and it is based on the 
jurisdiction of this committee. If the letter were in about the Home- 
land Security Department, that would be another story, but it is 
based on jurisdiction outside this committee, and I don’t know what 
the content of the letter is, and I don’t know what it was about. 
I don’t think it is official for this committee to take up matters. 

Mr. Thompson. Well, Mr. Chairman, I would like to say under 
the rules according to the minority interpretation, we believe we do 
have jurisdiction, and we just have a difference of opinion. 

Mr. Simmons. Why don’t we agree if it is agreeable that we will 
review the transcript and make a determination at a later date, 
and I will withdraw my offer to sustain the gentleman’s objection. 

Mr. Gibbons. I don’t have a problem with bringing it before the 
committee and having the committee in general look at it and 
make that decision. 

Mr. Simmons. Is that agreeable to the ranking member? 

Mr. Thompson. In terms of withdrawing it and looking at it 
later? 

Mr. Simmons. Yes. 

Mr. Thompson. No problem. 

Mr. Simmons. I thank the gentleman. 

I also thank the patience of our witnesses here today as we try 
to work our way through certain issues and get started. 

The chair now calls our first panel, Ms. Maureen Cooney, acting 
chief privacy officer of the Department of Homeland Security. Dur- 
ing her time with DHS Privacy Office, Ms. Cooney has served as 
chief of staff and as director of International Privacy Policy before 
becoming acting chief privacy officer. 

Ms. Cooney worked on international privacy and security issues 
as legal adviser for the International Consumer Protection at the 
U.S. Federal Trade Commission, and her legal career includes 
broad experience with the national services and enforcement 
issues, including international work on anti-money laundering and 
foreign compliance issues, information sharing and privacy and se- 
curity matters. She is a graduate of Georgetown University and 
holds a JD from the Georgetown University Law Center. 

I notice, Ms. Cooney, that you have substantial testimony that 
you wish to make. Normally, we limit it to 5 minutes, but if you 
need to exceed that, please be my guest. And welcome. 

STATEMENT OF MAUREEN COONEY, ACTING CHIEF PRIVACY 
OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY 

Ms. Cooney. Thank you. Good morning. Chairman Simmons, 
Ranking Member Thompson and members of the subcommittee, it 
is an honor to testify before you today on privacy activities across 
the Department of Homeland Security. 

As the subcommittee well knows, the Department of Homeland 
Security was the first agency to have a statutorily required privacy 
officer. The inclusion of a senior official accountable for privacy pol- 
icy and protection within the department honors the value placed 
on privacy as an underpinning of the American freedoms and de- 
mocracy we seek to protect. 

Privacy is a cultural value at DHS. Secretary Chertoff recently 
noted that as a young department, we have the opportunity to 
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build into the sinews of this organization respect for privacy and 
the thoughtful approach to privacy. 

He went on to express a belief that I share. We want the govern- 
ment to be a protector of privacy, and we want to build security 
regimes that maximize privacy protection and that do it in a 
thoughtful and intelligent way. If it is done right, it will be not 
only a long-lasting ingredient of what we do in Homeland Security, 
but a very good template for what governments ought to do in gen- 
eral when it comes to protecting people’s personal autonomy and 
privacy. 

The chief privacy officer and the DHS Privacy Office have a spe- 
cial role working in partnership and collaboration across the de- 
partment, to integrate privacy into the consideration of the ways 
in which the department assesses its programs, uses technologies 
and handles information. 

The Privacy Office has oversight of privacy policy matters and in- 
formation disclosure policy, including compliance with the Privacy 
Act of 1974, the Freedom of Information Act, and the Completion 
of Privacy Impact Assessment. 

The Privacy Office also evaluates new technologies used by the 
department for their impact on personal privacy. Further, under 
Section 222, the chief privacy officer is required to report to Con- 
gress on these matters, as well as on complaints about possible pri- 
vacy violations. 

The DHS Privacy Office takes an operational approach to ad- 
vancing privacy policy. We embed adherence to good privacy prac- 
tices in the investment and oversight and design phases or pro- 
grams through accountability and transparency tools, including pri- 
vacy notices required under the Privacy Act, the use of privacy im- 
pact assessments and privacy audits and complaint reviews. 

Our approach is consistent for all DHS programs and initiatives, 
and we have found that it works equally well for the law enforce- 
ment, homeland security and intelligence functions of the Depart- 
ment. 

As mentioned, one of the main mechanisms for operationalizing 
privacy protections is through the consistent use of the privacy im- 
pact assessment process throughout the department. 

The General Accountability Office released a report earlier this 
week on government use of commercial reseller data and com- 
pliments, in fact, the Department of Homeland Security’s privacy 
impact assessment process and guidance, which has been shared 
with our federal partners across the government. 

They also complimented the department on its dialogue on that 
very issue and the guidance which we are currently writing and 
collaborating on with within the department. 

Privacy impact assessments required by Section 208 of the E- 
Government Act of 2002 and Section 222 of the Homeland Security 
Act allow us to access the privacy impact of utilizing new or signifi- 
cantly changing information systems that collect personally identi- 
fiable information, including attention to mitigating privacy risks. 

Although the E-Government Act allows exceptions from the PIA 
requirement for national security systems, as a matter of good pri- 
vacy practice, the Privacy Office at the Department of Homeland 
Security requires that all DHS systems, including national security 
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systems, undergo a PIA — privacy impact assessment — if they con- 
tain personal information. 

We use the PIA process as a good government information man- 
agement tool and privacy protective process across the depart- 
ment’s programs. 

In cases where the publication of a PIA would be detrimental to 
national security, the PIA document may not be published or may 
be published in a redacted form. This means that information sys- 
tems that are part of the Intelligence Enterprise at the department 
also undertake these important analyses to ensure the privacy con- 
siderations are fully integrated into their deployment of programs. 

Let me quickly turn to information sharing. The Department of 
Homeland Security was created, in significant part, to foster infor- 
mation sharing for homeland security purposes. The Privacy Act, of 
course, provides the statutory authority for both inter-and intra- 
agency information sharing. 

The Privacy Office policy supports the exchange of information 
between the department’s component organizations whenever those 
organizations establish an appropriate need based on an express 
purpose. 

We work with department components to facilitate the timely ex- 
change of information in a privacy-sensitive manner, while working 
toward the goal of the right persons getting the right information 
at the right time. 

The department must also foster external information sharing for 
homeland security purposes with all of our partners at the federal, 
state, local, tribal and private sector levels. As the department in- 
corporates the need to share in its internal and external informa- 
tion sharing design, it is, of course, paramount that privacy be 
built into the process. 

We have worked collaboratively with our intelligence and anal- 
ysis colleagues for whom information sharing is part of their crit- 
ical mission — to also ensure that personally identifiable informa- 
tion of U.S. persons is treated in a manner that fully conforms with 
their rights and is handled sensitively. 

The DHS policy on handling U.S. person information contains a 
significant role for the DHS privacy officer to review activities that 
could involve a potential violation of the privacy rights of U.S. citi- 
zens and also requires the privacy officer to collaborate on new ini- 
tiatives to ensure that they enhance and do not erode privacy pro- 
tections relating to the collection, use and maintenance of personal 
information. 

Members of the committee, we take this responsibility very seri- 
ously. We look forward to working with you on this effort and ask 
for your support. Thank you for inviting me today. 

[The statement of Ms. Cooney follows:] 

Prepared Statement of Maureen Cooney 
April 6, 2006 

Introduction 

Chairman Simmons, Ranking Member Lofgren, and Members of the Sub- 
committee, it is an honor to testify before you today on privacy activities at the 
United States Department of Homeland Security, with particular reference to pri- 
vacy as part of the Department’s Intelligence Enterprise. 
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Because this marks my first appearance before the Subcommittee, I would like 
to offer some biographical background. It is my honor to currently serve as the Act- 
ing Chief Privacy Officer for the Department of Homeland Security. I come to this 
post with 20 years of federal experience in risk management and compliance and 
enforcement activities as well as in consumer protection work on global information 
privacy and security issues post 9-11. I was recruited from the Federal Trade Com- 
mission to join the Department of Homeland Security more than two years ago as 
Chief of Staff of the Privacy Office and Senior Advisor for International Privacy Pol- 
icy. Since that time, it has been my privilege to help build the DHS Privacy Office, 
under the leadership of former Chief Privacy Officer, Nuala O’Connor Kelly, and 
Secretaries Chertoff and Ridge. 

As the Subcommittee well knows, the Department of Homeland Security was the 
first agency to have a statutorily required Privacy Officer. The inclusion of a senior 
official accountable for privacy policy and protections within the Department honors 
the value placed on privacy as an underpinning of our American freedoms and de- 
mocracy. It also reflects Congress’ understanding of the growing sensitivity and 
awareness of the ubiquitous nature of personal data flows in the private and public 
sectors and a recognition of the impact of those flows upon our citizens’ lives. 

In addressing the Department’s Data Privacy and Integrity Advisory Committee, 
which was created to advise the Secretary and the Chief Privacy Officer on signifi- 
cant privacy issues. Secretary Michael Chertoff recently noted that the Department 
has the opportunity to build into the “sinews of this. . .organization, respect for pri- 
vacy and a thoughtful approach to privacy.” Secretary Chertoff expressed a belief 
that I share: 

We want the government to be a protector of privacy, and we want to build secu- 
rity regimes that maximize privacy protection and that do it in a thoughtful and 
intelligent way .... [IJf it’s done right, [it] will be not only a long-lasting ingre- 
dient of what we do in Homeland Security, but a very good template for what 
government ought to do in general when it comes to protecting people’s personal 
autonomy and privacy d 

The Chief Privacy Officer ^ and the DHS Privacy Office have a special role, work- 
ing in partnership and collaboration across the Department, to integrate privacy 
into the consideration of the ways in which the Department assesses its programs 
and uses technologies, handles information, and carries out our protective mission. 
The Privacy Office has oversight of privacy policy matters and information disclo- 
sure policy, including compliance with the Privacy Act of 1974, the Freedom of Infor- 
mation Act, and the completion of Privacy Impact Assessments on all new programs, 
as required by the E-Government Aet of 2002 and Section 222 of the Homeland Se- 
curity Act of 2002. The Privacy Office also evaluates new technologies used by the 
Department for their impact on personal privacy. Further, under Section 222, the 
Chief Privacy Officer is required to report to Congress on these matters, as well as 
on complaints about possible privacy violations. 

Today, I would like to describe for you how the Privacy Office has worked to build 
privacy into the sinews of our organization so that a culture of privacy informs the 
way in which we carry out our national mission of protecting our homeland. I’ll ex- 
plain our operational approach of embedding adherence to good privacy practices 
into the programs of the Department, through the budget and design phases of pro- 
grams, through accountability and transparency tools, including reviews of privacy 
notices (systems of records notices), the use of privacy impact assessments, and pri- 
vacy audits and reviews. Our approach is consistent for all DHS programs and ini- 


1 March 7, 2006 public Meeting of the Department of Homeland Security Data Privacy and 
Integrity Advisory Committee, Ronald Reagan Building and International Trade Center, Wash- 
ington, D.C. 

^The DHS Chief Privacy Officer is the first statutorily required privacy officer in the federal 
government. Section 222 of the Homeland Security Act, as amended, provides in pertinent part, 
the responsibilities of the DHS Chief Privacy Officer are to assume primary responsibility for 
privacy policy, including — 

(1) assuring that the use of technologies sustain, and do not erode, privacy protections relating 
to the use, collection and disclosure of personal information; 

(2) assuring that personal information contained in Privacy Act systems of records is handled 
in full compliance with fair information practices as set out in the Privacy Act of 1974; 

(3) evaluating legislative and regulatory proposals involving collection, use, and disclosure of 
personal information by the Federal Government; 

(4) conducting a privacy impact assessment of proposed rules of the Department on the pri- 
vacy of personal information, including the type of personal information collected and the num- 
ber of people affected; and 

(5) preparing a report to Congress on an annual basis on activities of the Department that 
affect privacy, including complaints of privacy violations, implementation of the Privacy Act of 
1974, internal controls and other matters. 
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tiatives and we have found that it works equally well for the law enforcement, 
homeland security and intelligence functions of the Department. 

I would then like to focus on the mandates of information sharing and intelligence 
activities and how those imperatives for national preparedness can be achieved 
while integrating privacy attentiveness and protections into Departmental oper- 
ations. 

Building a Culture of Privacy 

The Privacy Office works in partnership with each DHS Directorate and compo- 
nent to promote a business ethic of privacy attentiveness and responsible steward- 
ship for the personal information that we collect, use and disseminate. This is fun- 
damental to the Department’s overall achievement of its mission and for engen- 
dering the trust of the American people and visitors to our nation. 

We operationalize privacy at the outset of DHS program initiation through two 
primary means. First, the Privacy Office works to incorporate privacy in the devel- 
opment processes used to build DHS information systems. Second, the Privacy Of- 
fice confirms that privacy is embedded in the information systems that involve per- 
sonal data through the privacy assessment process. These two methods allow the 
Privacy Office to “bake” privacy into Departmental operations. 

Building privacy into the development process starts with the investment review 
processes for major programs and information systems at the Department. In part- 
nership with the DHS Management Directorate, the Privacy Office participates on 
three separate committees that review project proposals and set performance cri- 
teria for program and technology investment budget approvals. We thus can use the 
“power of the purse” to ensure that program personnel are attentive to privacy re- 
quirements. 

The Privacy Office then works to operationalize privacy protections through “pri- 
vacy gateways” that focus on the projected design and use of an information tech- 
nology system. In collaboration with the Office of the Chief Information Officer, the 
Privacy Office is developing these “privacy gateways” for the systems development 
life cycle review of technology deployed for Departmental programs to ensure that 
privacy practices are integrated through a monitored and auditable process. 

Consequently, Department design and deployment initiatives move forward only 
after proper attention has been paid not only to operational issues, but also to pri- 
vacy issues. In fact, privacy is considered a cornerstone of the Department’s pro- 
gram architecture, consistent with the mandate to protect the homeland while pre- 
serving essential liberties. 

Once funding for an information system is determined and privacy is considered 
in the systems development life cycle, the Privacy Office monitors privacy compli- 
ance through the use of a Privacy Impact Assessment (PIA). Conducting PIAs dem- 
onstrates the Department’s efforts to assess the privacy impact of utilizing new or 
significantly changing information systems, including attention to mitigating pri- 
vacy risks. Touching on the breadth of privacy issues, PIAs allow the examination 
of the privacy questions that may surround a program or system’s collection of infor- 
mation, as well as, the system’s overall development and deployment. 

When worked on early in the development process, PIAs provide an opportunity 
for program managers and system owners to build privacy protections into a pro- 
gram or system in the beginning. This avoids forcing the protections in at the end 
of the developmental cycle when remedies can be more difficult and costly to imple- 
ment. In accordance with Section 208 of the E-Government Act of 2002 and OMB’s 
implementing guidance, the Department of Homeland Security is required to per- 
form PIAs whenever it procures new information technology systems or substan- 
tially modifies existing systems that contain personal information. The Chief Pri- 
vacy Officer reviews and signs off on all Departmental PIAs and then they are pub- 
lished. 

Although the E-Government Act allows exceptions from the PIA requirement for 
national security systems, as a matter of good privacy practice, the Privacy Office 
requires that all DHS systems, including national security systems, undergo a PIA 
if they contain personal information. We use the PIA process as a good government 
information management tool and privacy protective process across the Depart- 
ment’s programs. In cases where the publication of the PIA would be detrimental 
to national security, the PIA document may not be published or may be published 
in redacted form. This means that information systems that are part of the Intel- 
ligence Enterprise at the Department undertake these important analyses to ensure 
that privacy considerations are fully integrated. Our intelligence information sys- 
tems are better considered and developed as a result of conducting PIAs. 
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Transparency and Accountability 

To assure that information in DHS record systems is handled in a manner con- 
sistent with the fair information practices principles set out in the Privacy Act of 
1974, the Privacy Office carefully reviews new Systems of Records Notices and new 
initiatives that seek to collect information to be placed under existing SORNs. The 
Privacy Office works closely with the Office of the General Counsel on the legal 
issues attendant to these SORNs and with all DHS program offices to analyze the 
ways in which the information will be shared through approved routine uses. In ad- 
dition to SORNs, we benchmark programs’ compliance with fair information prac- 
tices principles based upon their development and adherence to internal policies, 
procedures, and public statements of program goals. To that end, we are working 
on a privacy tool that will assist programs in doing periodic self assessments against 
similar measures. 

Another way the Privacy Office encourages transparency and accountability is 
through outreach and public workshops. Just yesterday, the Privacy Office hosted 
a public event concerning Transparency and Accountability: The Use of Personal In- 
formation within the Government. We explored the front end of the privacy proc- 
ess — how public notices inform the public of the intended use of personal informa- 
tion by government — and the back end of the process — how government can live up 
to the promises made in public notices through mechanisms for appropriate access, 
including through Privacy Act disclosures. Freedom of Information Act disclosures, 
and other appropriate means. 

Privacy Audits and Reviews 

The Privacy Office also has an important oversight function within the Depart- 
ment in assessing whether the fair information practices embedded in the Privacy 
Act of 1974 are appropriately implemented in our programs, along with other rel- 
evant frameworks. We do tbis through privacy audits and providing guidance at 
points along the development of programs. While the Privacy Office has an impor- 
tant internal role, it also receives and reports on complaints and concerns from the 
public about the privacy attentiveness of DHS programs. In response, we undertake 
reviews of those concerns and report on them to the Secretary and to Congress, per 
Section 222 of the Homeland Security Act, providing constructive guidance. 

Privacy Protection and Public Security through Information Sharing and 
Intelligence 

The Department of Homeland Security was created, in significant part, to foster 
information sharing for homeland security purposes. And from its beginning, the 
Department has undertaken the important work of removing the invisible barriers 
that block appropriate information flows within the Department. The Privacy Act, 
of course, provides the statutory authority for intra-agency information sharing 
when there is a need to know, and Privacy Office policy supports the exchange of 
information between the Department’s component organizations whenever the orga- 
nizations establish an appropriate need based on an express purpose. The Privacy 
Office, therefore, works with Department components to facilitate the exchange of 
information in a privacy sensitive manner, while working toward the goal of the 
right persons getting the right information at the right time. 

The Department must also foster external information sharing for homeland secu- 
rity purposes with all of our partners at the Federal, state, local, tribal and private 
sector levels. As the Department incorporates the “need to share,” in its information 
sharing design it is, of course, paramount that privacy be built into the process. Our 
work on internal information sharing complements and informs the Department and 
Privacy Office’s efforts to assist with external information sharing efforts. 

Just as the sharing model has changed, so must the paradigm shift to enhanced, 
stronger, and embedded privacy protections because, as Secretary Chertoff has said, 
“When we share information, if we do it in a disciplined way, we actually elevate 
the security of both those who share — and those who receive — the information.” The 
Privacy Office has therefore worked diligently to help create an information sharing 
model that allows for robust information exchanges for homeland security purposes 
even while it fosters robust privacy protections. 

In particular, we have worked collaboratively with our Intelligence and Analysis 
colleagues, for whom information sharing is part of their critical mission, to ensure 
that personally identifiable information of U.S. persons is treated in a manner that 
fully conforms with their rights and is handled sensitively. The DHS policy on han- 
dling U.S. person information developed by the Intelligence and Analysis section of 
DHS contains a significant role for the DHS Privacy Officer to review activities that 
could involve a potential violation of the privacy rights of U.S. citizens and also re- 
quires the Privacy Officer to collaborate on new initiatives to ensure that they en- 
hance and do not erode privacy protections relating to the collection, use and main- 
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tenance of personal information. This policy is another example of the way that the 
Privacy Office has helped to construct a culture of privacy at DHS and has worked 
to make privacy an operational imperative as we move forward with our mission. 

Related to these activities is the fact that over the past four years, the Adminis- 
tration has provided new tools to permit federal agencies to exchange information. 
Most recently, in Executive Order 13388, Further Strengthening the Sharing of Ter- 
rorism Information to Protect Americans, which was issued on October 25, 2005, the 
President made clear his intent that all federal agencies work to prepare an envi- 
ronment in which information flows support counterterrorism functions. The Execu- 
tive Order specifically recognizes the importance of protecting the “freedom, infor- 
mation privacy, and other legal rights of Americans.” This message is further re- 
flected in the Presidential Memorandum of December 16, 2005, to all federal depart- 
ments and agencies providing guidelines and specific requirements to build the new 
Information Sharing Environment. 

As part of this Memorandum, the President issued Guideline 5 stating that “the 
Federal Government has a solemn obligation, and must continue fully, to pro- 
tect. . .the information privacy rights and other legal rights of Americans. . .” in 
the building of an information sharing environment. 

In parallel with the President’s efforts. Congress enacted three laws providing the 
U.S. Government with greater authority for collecting, analyzing, and disseminating 
terrorist information: the USA PATRIOT Act of 2001, the Homeland Security Act 
of 2002, and the Intelligence Reform and Terrorism Prevention Act of 2004 (IRTPA). 
This last statute puts in place a mechanism to formalize the creation of the informa- 
tion sharing environment on an interagency level and it, too, provides that the pri- 
vacy rights of individuals must be central to the environment’s creation. 

“Need to Share” and the Role of the DHS Privacy Office 

Recent legislative enactments confirm what the National Commission on Terrorist 
Attacks Upon the United States recommended and that the President has required 
in his Executive Orders on information sharing, that we have moved from a “need 
to know” environment to a “need to share” environment. This “need to share” pre- 
sents significant improvements to information exchange, but it also presents signifi- 
cant challenges to individual expectations for privacy and to institutional privacy 
safeguards. At the Department of Homeland Security, as we move forward in our 
ability to share data, we are aware of our responsibility for the privacy, security and 
authorized use of the data entrusted to us. 

Specifically, technology and information policy should be maximized to build pri- 
vacy protections into data sharing models. But technology and privacy awareness, 
while important tools in protecting individual privacy interests, will not be enough 
to address current challenges. As we move forward, we will also need to establish 
and enforce concrete safeguards to prevent unauthorized access, use, or disclosure. 

The Privacy Office has provided expertise and guidance for building the ISE by 
working closely with the Information Sharing Environment Program Manager (ISE/ 
PM) and various steering groups on issues not only dealing directly with privacy, 
but also with subjects such as governance, operations, and harmonization of tech- 
nologies. Through these efforts, the Privacy Office is assisting with facilitating the 
incorporation of privacy protections at the roots of the ISE development. 

Currently, the Privacy Office is a member of an interagency working group, oper- 
ating under the joint leadership of the Director of National Intelligence and the De- 
partment of Justice, as specified by the President under Guideline 5. This group will 
conduct a review of current executive department and agency information sharing 
policies and procedures regarding the protection of information privacy and other 
legal rights of Americans; and develop guidelines designed to be implemented by ex- 
ecutive departments and agencies to ensure that the information privacy and other 
legal rights of Americans are protected in the development and use of the ISE, in- 
cluding in the acquisition, access, use, and storage of personally identifiable infor- 
mation. 

The review of policies is focusing on coordinating and consolidating the work al- 
ready done to focus on the key issues to harmonizing privacy protections. This re- 
view will lead into the development of appropriate guidelines that will outline a 
process for the operation of the entire ISE. 

Conclusion 

The Privacy Office will continue to work to ensure that privacy is woven into the 
very fabric of the Department as a guiding principle and value through 
operationalizing privacy throughout the Department and responding to privacy con- 
cerns about information sharing environments in positive, constructive ways. 

In addition, as the Acting Chief Privacy Officer of DHS, I endeavor at all times 
to keep an open door to the privacy community around the nation and the world 
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to ensure that the Department benefits from the range and depth of privacy practi- 
tioners and concerned citizens everywhere. 

We face great challenges. But we must achieve both security and privacy and, 
with both, sustain our values and freedoms. I do not doubt that we can move for- 
ward together and achieve our mission of protecting and preserving our lives and 
our way of life, preserving our Liberty and with it, our privacy. I appreciate the op- 
portunity to testify before this important committee today. I look forward to hearing 
the other witnesses’ testimony and to answering your questions. 

Mr. Simmons. Thank you very much for that testimony. 

I have a couple of questions, and then we will defer to the mem- 
bers of the subcommittee for their questions. 

Do you believe the Privacy Office has the support and the back- 
ing of DHS senior leadership and, in particular, leadership in the 
intelligence component in order to effectively fulfill your mission? 

Ms. Cooney. Thank you for the question, Mr. Chairman. 

Yes, absolutely. I do feel that we have always had the support 
since the time that I joined the Department of Homeland Security 
under both Secretary Ridge and now Secretary Chertoff, both of 
our secretaries. 

And the reason I am concentrating on that is because in any or- 
ganization, in privacy matters or any compliance and enforcement 
matters, you need leadership from the top in order to embed it 
within the culture of the organization. 

Both of our secretaries have been extremely supportive. They 
have been supportive of our privacy officers, of the more than 400 
employees who work on Privacy Acts and Freedom of Information 
Acts issues every day in the department. And, in particular, if I 
might say, our intelligence partners have always been very sup- 
portive. 

I know that General Hughes is here today testifying. He was a 
wonderful partner during his tenure at the department. And Mr. 
Allen could not be more supportive and his staff. 

Mr. Simmons. The issue of privacy frequently comes up in the 
context of collection activities. The Department of Homeland Secu- 
rity generally speaks of acquiring or gathering information which 
presumably they obtain from other agencies who also have their 
own privacy officers and presumably abide by their own privacy 
regulations. But the Department of Homeland Security might also 
collect information, for example, at the border or during a Coast 
Guard intercept. 

How do you deal with that kind of activity to ensure that the 
right to privacy is protected in the collection activities of the your 
own organization? 

Ms. Cooney. I would say broadly, and particularly with the com- 
ponents that you are mentioning — border security, which would be 
customs and border protection, or if it is TSA, or immigration and 
customs enforcement — each of those particular entities under the 
DHS umbrella have very specific standards and processes that they 
use in collecting information. 

And a major part of that is compliance with the Privacy Act of 
1974, which, as is true with any federal agency, requires that an 
agency only collects information that is mission critical, informa- 
tion that assists us in carrying out our particular duties as govern- 
ment employees. 
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We review in the Privacy Office in collaboration with those com- 
ponent agencies those policies and procedures and in particular, do 
privacy audits on those collection mechanisms. 

Mr. Simmons. I thank you. My time has expired. 

The chair recognizes the gentleman from Mississippi. 

Mr. Thompson. Thank you very much, Mr. Chairman. 

Ms. Cooney, for the record, do you have subpoena power or any- 
thing with your office in collecting data? 

Ms. Cooney. No, Congressman Thompson, we don’t. 

Mr. Thompson. Have you felt that you could do your work — have 
you had any problems getting data? 

Ms. Cooney. Initially, with one of our complaint reviews — that 
is one of our responsibilities — we did have some difficulty in getting 
full information within the department. I will say, since that initial 
experience, I am not aware of difficulty in that area. 

If I may, in my 20 years of federal service, a good part of that 
has been in compliance and enforcement work. And it is not un- 
usual that you ask for information even under a subpoena. And 
people think they are being fully compliant and are not, and you 
ask again, and you say, “Anything else?,” and they give you more. 

We are diligent and persistent in our activities even without 
some type of authority that you are mentioning. And within the 
government, that is standard process, and I assume that our staff 
will always be persistent in carrying out our compliance respon- 
sibilities. 

Mr. Thompson. Do you have the ability to take sworn testimony? 

Ms. Cooney. We do not, sir. 

Mr. Thompson. Would that help you? 

Ms. Cooney. In certain cases, it could be helpful. I think it 
would be — what I would say on that is, as we partner in the agency 
in other areas, we do have partners within the agency who have 
that ability, particularly the inspector general. 

With one of our major reviews, we did partner with the inspector 
general and referred part of our conclusion to the inspector general 
for his further review. He had the ability to use subpoena power 
to take sworn statements. To the extent that that works effectively 
in the absence of powers on our own, we would certainly leverage 
every opportunity in the department to make sure there is full 
compliance with all privacy laws. 

Mr. Thompson. So if you had the ability to subpoena witnesses 
for information or the ability to take affidavits, would that enhance 
your ability as chief privacy officer to function? 

Ms. Cooney. I know that our department — well, let me say it 
this way: It could. It might be helpful. To date, I guess I would say, 
again, to date, I don’t think that we have seen that we have not 
received the information that we have needed in order to carry out 
our abilities. 

Sometimes issues that I look at — and I am a lawyer, but I don’t 
practice as a lav^^er in the agency. I practice as a policymaker. But 
as a lawyer, thinking through that background, I would always 
want to be careful in our taking statements of not jeopardizing a 
case that someone else in another area of the department has au- 
thority for, which is why I think at least to date, it is important 
in the absence of having subpoena powers or the ability to take af- 
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fidavits, to be mindful that in the pursuit of our own activities, we 
need to be careful to partner with people who may need to follow 
up on an investigation. 

Mr. Thompson. Well, I understand that. But I am trying to be 
respectful of your office and try to figure out other than friendly 
persuasion what real authority do you have to actually get the in- 
formation. 

Ms. Cooney. I would say our greatest assistance in getting the 
information that we have needed is leadership from the secretary’s 
office, from the secretary himself. It was true under Secretary 
Ridge, and it was true very recently in a review that we did under 
Secretary Chertoff, not unlike the type of leadership buy-in that 
you need in a corporation. And that is what we have relied on. 

Mr. Thompson. So in absence of authority to do your job, you de- 
pend on leadership persuasion from the top? 

Ms. Cooney. Absolutely. We need their support in doing our job 
just as our colleagues do in theirs. 

Mr. Thompson. So can you initiate an investigation on your own? 

Ms. Cooney. Yes, we do do that, absolutely. 

Mr. Thompson. Without any leadership from the top? You have 
sole authority? 

Ms. Cooney. That is right. We inform the secretary, as would be 
responsible, and then we pursue our responsibilities under the stat- 
ute, under Section 222, that requires us to look at complaints and 
concerns about agency programs and processes. Yes, sir. 

Mr. Thompson. Thank you, Mr. Chairman. My time is expired. 

Mr. Simmons. I thank the gentleman for his questions. 

The gentleman from Pennsylvania, Mr. Dent, is recognized. 

Mr. Dent. Thank you, Mr. Chairman. 

Good morning. 

Ms. Cooney. Good morning. 

Mr. Dent. Do you believe that the department is doing an effec- 
tive job in protecting the privacy of American citizens? 

Ms. Cooney. Yes, Mr. Dent. I do believe we are. We are certainly 
trying very hard. I can tell you that the staff of the Privacy Office 
works extremely diligently, very long hours, is a very energetic 
staff, and that we have built various active partnerships across the 
department. 

I think all through our processes, from investment review, to life 
cycle development reviews of technologies that the department 
might deploy in programs, to our privacy impact assessments when 
programs are getting ready to be developed, and all through that 
developmental process, to the audit reviews afterwards, and then 
on reviews of complaints, I think we are being extremely proactive. 

I might add, we have an internal DHS data and privacy integrity 
board made up of senior managers, in particular, guidance that we 
are trying to fashion on the use of commercial reseller data. That 
particular internal board will meet next week to collaborate with 
us and to have a dynamic discussion on how operationally guidance 
might work and be implemented. 

We also have an external privacy advisory committee that gives 
advice directly to the secretary and to the chief privacy officer. 
They have looked most recently at the information sharing issues 
that relate to intelligence information that we handle at the de- 
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partment and that we need to push out both to the private sector 
and state and local partners. 

So we certainly are trying in as many venues and as many ways 
as possible to effectively push out privacy and privacy attentiveness 
within the department. 

Mr. Dent. And my final question. Do any of the information 
sharing systems within the DHS Intelligence Enterprise require 
privacy impact assessment or PIA as required by the E-Govern- 
ment Act of 2002? And can you give us an example of PIAs that 
have been done with regards to the DHS Intelligence Enterprise? 

Ms. Cooney. Yes. I am happy to do that. Most recently, we have 
worked on a privacy impact assessment that deals with our Home- 
land Security Information Network. We refer to it as HSIN. It is 
a network database that is managed by our Homeland Security op- 
erations center. 

But, of course, much of the information that is within that data- 
base is brought in and analyzed by our intelligence analysis area 
as well as others. Much of it is information from citizens who hap- 
pen to see suspicious activity and can call into the department. It 
includes information from our law enforcement components, our 
folks on the line every day protecting the borders. 

We have recently worked on that privacy impact assessment. It 
is publicly available on our web site on the Privacy Office web site. 

As I mentioned before, when these privacy impact assessments 
concern what might be considered national security operations, 
they don’t necessarily require publication, but we work very hard 
at transparency of DHS operations. And so on that particular PIA, 
we worked diligently with HSOP and with I&A to fashion the PIA 
in a way that we could describe as robustly as possible exactly 
what information we are collecting and how we are handling it. 

It is in the name of activity information rather than information 
about individuals. However, there is some information that comes 
into that database that concerns individuals. And to the extent that 
it is personally identifiable information, there are added safeguards 
and restrictions, roll-based access, in terms of who gets to see that 
information and when. 

Mr. Dent. Thank you. I yield back. 

Mr. Simmons. I thank the gentleman. 

The gentlelady from Florida, Ms. Brown-Waite, is recognized. 

Ms. Brown-Waite. Thank you very much, Mr. Chairman. 

Ms. Cooney, you have a very, very impressive resume, and this 
question may have been asked before. I apologize if it was. Please 
don’t hesitate to tell me. 

But as I looked at your resume, your title is chief privacy officer, 
the acting chief privacy officer. Do you think that your duties are 
impaired any way by the title of acting, and do you have any idea 
when the acting with all the responsibilities will become the actual 
privacy officer, chief privacy officer? 

Ms. Cooney. Thank you for your question. 

Since taking this position, my philosophy has been that it is just 
business as usual within the Privacy Office and the department in 
terms of fully integrating privacy into our operations. So the title 
itself, I don’t think, has made a significant difference for me in the 
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way in which I go about this joh, nor in the way in which senior 
leadership has partnered with me to be effective in that job. 

We cannot do this alone in the privacy office. This is an enter- 
prise-wide value and initiative to protect privacy at the depart- 
ment. So I have not seen an impediment based on my acting posi- 
tion, and I am happy to continue to serve in this role as long as 
the secretary asks me to do so. 

Ms. Brown-Waite. My next question is: Do you think that the 
Privacy Office has the adequate resources and funding to actually 
carry out the mission of the office? 

Ms. Cooney. Well, I would first answer that by thanking mem- 
bers of Congress for your support in building our budget from the 
time that we were in our infancy when we had three FTEs and a 
budget of $750,000 to the 15 FTEs that we have now and about an 
equal number of very experienced privacy contractors who are em- 
bedded and made part of our privacy team, and the budget we have 
now of $4.3 million. 

The exercise of pushing privacy out through the enterprise, of 
course, has also grown as the department and as we have multi- 
plied our homeland security programs. We will need to continue to 
watch that as those programs grow, but we continue to leverage 
our ability to effectuate privacy by capitalizing on privacy officers 
that are in our component agencies, our major programs — U.S. 
VISIT, Citizen and Immigration Services, Transportation and Secu- 
rity Administration, and Cyber Security, as well as the more than 
400 privacy professionals who I mentioned to you are embedded 
within the department. 

Ms. Brown-Waite. What is the average longevity of the 16 full- 
time employees that you now have? Or did it just increase with last 
year’s funding? 

Ms. Cooney. We have gradually increased each year that we 
have been in operation. We had been at 12 FTEs, and we received 
four new ones in the 2006 budget. We have filled one of those. We 
are actively interviewing for two other of those spots, and the 
fourth position has been posted. 

Under our former chief privacy officer, Nuala O’Connor Kelly, 
and together, we felt that that was imperative that whatever tools 
and resources Congress gave us, we would immediately use them. 
And we are actively doing that. So it has been incremental over the 
years. 

Ms. Brown-Waite. Well, obviously, it takes a very special kind 
of person to fill this, and I would just encourage you don’t fill it 
just for filling’s sake. Go out there and get the best and the bright- 
est. 

Ms. Cooney. Thank you. We will do our very best to do that. 

Ms. Brown-Waite. Thank you very much, and keep up the good 
job. 

Ms. Cooney. Thank you. 

Mr. Simmons. I thank the gentlelady for her comments. 

Are there any additional comments or questions that members 
may wish to make? 

Ms. Cooney, thank you very much for your testimony. It is great 
to have you here. You have responded very well. I think you 
shouldn’t be acting anymore. I think you should be permanent. And 



19 


what we always say is, if there are any budgetary or legislative im- 
pediments to performing your duties that you will make the sub- 
committee aware of those. Thank you. 

And now the chair will call the second panel. 

Ms. Cooney. Thank you. 

Mr. Simmons. The second panel consists of Mr. Keith Herath — 
I hope I am pronouncing your name correctly — chief privacy officer 
and associate general counsel at Nationwide Insurance Company, 
who is primarily responsible for creating and implementing privacy 
policy. Mr. Herath is currently serving a 2-year term on the DHS 
Data Privacy and Integrity Advisory Committee. 

Mr. Jonathan Turley, Shapiro Profess of Public Interest Law at 
the George Washington University Law School. He is a nationally 
recognized legal scholar. In 1990, Professor Turley joined the 
George Washington law faculty, and in 1998 became the youngest 
chaired professor in the school’s history. 

And Lieutenant General Patrick Hughes, who is vice president of 
Homeland Security at L-3 Communications and has over 38 years 
of strategic planning and leadership experience. Prior to joining L- 
3 Communications, General Hughes was assistant secretary for in- 
formation analysis at the U.S. Department of Homeland Security, 
a position he held from 2003 to 2005. 

Thank you all for being here. 

General Hughes, in particular, to you, welcome back. It is good 
to see you here. 

And the chair now recognizes Mr. Herath to testify. 

STATEMENT OF KIRK HERATH, CHIEF PRIVACY OFFICER, AVP- 

ASSOCIATE GENERAL COUNSEL, NATIONAWIDE INSURANCE 

COMPANIES 

Mr. Herath. Thank you. Good morning, Mr. Chairman, and 
members of the subcommittee. Thank you for the opportunity to 
speak with you today. 

My name is Kirk Herath. I am the chief privacy officer, associate 
general counsel and assistant vice president for Nationwide Insur- 
ance Companies located in Columbus, Ohio. I am also currently 
serving as the president of the International Association of Privacy 
Professionals. In addition, I serve as a member of the Department 
of Homeland Security’s Data Privacy and Integrity Advisory Com- 
mittee. 

I would like it noted that the opinions expressed here today are 
mine alone and do not reflect those of any other person or organi- 
zation. 

Privacy is a vibrant and growing profession. Privacy is recog- 
nized by the private sector, and increasingly in the public sector 
and academia, as an important and integral part of an organiza- 
tion’s success. 

The job of a privacy professional demands mastery of a complex 
set of laws technology, security standards, and program manage- 
ment techniques. In many ways, the emergence and growth of the 
International Association of Privacy Professionals reflects the grow- 
ing importance of privacy in public and private sectors. 

Privacy protections within the government and marketplace re- 
quire professionals to assess, create, monitor, and maintain policies 
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and practices. The LAPP was founded 5 short years ago, and in that 
time, it now has 2,200 members in over 23 countries. 

Clearly, the profession of privacy has cemented its position as a 
critical resource in any organization that deals with data. Privacy 
professionals within DHS play an important role in furthering our 
nation’s twin goal in protecting its citizens’ security and their 
rights. 

Most of us in the private sector discovered that the sheer scale 
of implementing privacy and safeguard requirements required a 
central office to coordinate the implementation of one corporate pri- 
vacy policy that comply with a new set of emerging laws. 

The federal government appears to he coming to the same conclu- 
sion. A central office is needed to coordinate privacy for a large gov- 
ernment agency. 

One can find many resources about how to create a privacy pro- 
gram. However, the steps in creating a privacy program can be 
summed up in the following: You first assess, you assess current 
processes, procedures, uses of data, et cetera. You then address, 
which is to identify and address gaps in your process and proce- 
dures. You monitor and audit to make sure that everything you put 
in place is working as it should, and then you repeat this process, 
because the environment is constantly changing. 

There are many challenges with implementing privacy. With 
every assessment or audit, there are three competing factors vying 
for the most beneficial outcome. These include the business need 
for quick access to abundant amounts of personal information. In- 
formation is money. The business cannot succeed without person 
information. For DHS, information may lead to greater security. 

Customer expectation is number two. The customer wants the 
product or service that they purchased or contracted for. The cus- 
tomer also has high expectations for how they want companies or 
organizations to manage and use their information. 

And third, privacy regulations. Like all regulations, they serve a 
good purpose. However, they often conflict with organizational 
goals. 

The job of a privacy officer is to help balance these three com- 
peting interests, because in the end, it rarely happens that each of 
the three competing interests is exactly equal. Generally, they are 
different. 

Listing the challenges that arise when implementing privacy is 
easy. Resolving them takes time and resources and the power to ef- 
fectuate the necessary change. It is a constant balancing act often 
with different outcomes each time an issue arises. 

The DHS Privacy Office’s mission is to minimize the impact on 
the individual’s privacy, particularly the individual’s personal infor- 
mation and dignity, while also achieving the mission of the Depart- 
ment of Homeland Security. 

One wonders whether the DHS Privacy Office has the budget 
staff and institutional authority to adequately carry out its mis- 
sion. In fact, the DHS Privacy Office has done a wonderful job 
working with the limited resources made available to it. They have 
done many of these assessments of existing programs and appear 
to be integrated in the planning and review processes for future 
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programs or programs under development. They have addressed 
most of the gaps discovered through their initial assessments. 

Where they can probably use the most assistance and resources 
is with operating their ongoing monitoring and audit function. This 
function is in its infancy and is inadequately staffed. Even if it 
were adequately staffed, it is doubtful that the Privacy Office has 
the legal authority to conduct the type of deep analysis necessary 
to ensure ongoing adherence to privacy laws. 

In sum, the Privacy Office is well organized and understands 
what it needs to do to carry out its objectives. It is highly moti- 
vated and experienced. Nevertheless, there are a few things Con- 
gress should consider to make it more successful. 

I respectfully submit the following: Number one, strengthen the 
statutory authority of the Privacy Office. It should have a clear and 
direct reporting line to Congress. The DHS Privacy Office should 
have a larger budget to carry out its critical mission. Its current 
$4.3 million budget is insufficient in light of the DHS’s overall 
budget. 

Congress should consider adding chief privacy officers and pri- 
vacy offices to all federal agencies or at least those that generally 
collect and process personal information on citizens. 

Transparency in information processing is fundamental to the 
role that the Privacy Office plays. The Freedom of Information Act 
Office needs to stay connected to the Privacy Office, because this 
is the Privacy Office’s single real connection to its customers, 
namely citizens. 

DHS should quickly appoint an official replacement for Nuala 
O’Connor Kelly, who left many months ago. Not having an official 
replacement devalues the Privacy Office politically and organiza- 
tionally. 

In conclusion, I hope my testimony helps illustrate the large ef- 
fort, cost and authority necessary for an organization to effectively 
implement a Privacy Office. For the DHS Privacy Office to carry 
out its statutorily defined requirements, it will need resources and 
the authority to implement a privacy program that balances the re- 
quirements of law and a responsibility of the government to protect 
its citizens. 

Additionally, no Privacy Office can be successful without clear 
and strong support from the top. If support from leadership is ab- 
sent, the privacy function will never be able to effectively car^ out 
its mission. In fact, trying to perform a privacy function without 
senior leadership support may be worse than not doing anything 
with privacy, because it provides an illusion to privacy without the 
reality of having any in. 

Thank you for inviting me to speak with you this morning. I 
would be happy to answer any questions that the committee may 
have. 

[The statement of Mr. Herath follows:] 

Prepared Statement of Kirk M. Herath 
April 6, 2006 

Introduction 

Mr. Chairman, members of the Subcommittee good morning. Thank you for oppor- 
tunity to speak with you this morning. 
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My name is Kirk Herath, I am the Chief Privacy Officer, Associate Vice President, 
and Associate General Counsel for Nationwide Insurance Companies, located in Co- 
lumbus, Ohio. I am also currently serving as President of the International Associa- 
tion of Privacy Professionals (lAPP), the world’s largest association for the privacy 
field, representing over 2,000 privacy professionals in business, government, and 
academia from 23 countries. Additionally, I serve as a member of the Department 
of Homeland Security’s (DHS) Data Privacy and Integrity Advisory Committee, 
which advises the Secretary of the Department of Homeland Security and the DHS 
Chief Privacy Officer on privacy and data integrity issues related to personal infor- 
mation. 

I would like it noted that I am here today in a personal capacity as an expert 
in privacy and privacy compliance. I am not here today officially representing my 
employer, my professional association or the Data Privacy and Integrity Advisory 
Committee. Thus, the opinions expressed here are mine alone and do not reflect 
those of any other person or organization. 

This morning, I will explain to the Committee how privacy has become imbedded 
into most private and a growing number of public organizations and how, in fact, 
it has become a legitimate profession and career path for thousands of knowledge 
workers. I also will attempt to describe for the Committee the very basic steps any 
organization needs to go through to address privacy and build a privacy infrastruc- 
ture. Following this description, I will compare and contrast the role that the DHS 
Privacy Office plays to what any other privacy office would do, whether it is private 
or public sector, particularly the trade-offs and balancing that is required to be suc- 
cessful. Finally, I will also respectfully attempt to provide a brief set of rec- 
ommendations for the Committee to consider if it desires to ensure more consistent 
privacy protections for DHS, or for any federal agency that collects and processes 
personal information. 

The Profession and Business of Privacy 

Before I describe how privacy programs should be organized and compare that to 
the DHS Privacy Office, I would like to discuss profession of privacy and the work 
of the lAPP. I believe that this will provide a good framework for the Subcommittee 
to see how Privacy is a vibrant and growing profession. In sum, privacy is recog- 
nized by the private sector, and increasingly in the public sector and academia, as 
an important and integral part of an organization’s success. The growth of the lAPP 
reflects this view. The lAPP is a rapidly growing professional association that rep- 
resents individual members working in the field of privacy. The organization works 
to define and promote this nascent profession through education, networking, and 
certification. 

In many ways, the emergence and growth of the LAPP reflects the growing impor- 
tance of privacy in public and private sectors. Privacy protections within the govern- 
ment and marketplace require professionals to assess, create, monitor, and maintain 
policies and practices. Put simply: privacy professionals are needed to give privacy 
protections viability within any organization. 

The lAPP was founded five short years ago as an emerging network of privacy 
professionals recognized the need for a professional association. The organization 
has grown rapidly since those early days and now boasts over 2200 members in 23 
countries. The lAPP’s recent annual conference here in Washington was, to the best 
of my knowledge, one of the largest privacy conferences ever held, with over 800 
attendees. Clearly, the market has placed a very high value on privacy and the ro- 
bust, but responsible use of data. 

When the lAPP was initially formed, the majority of our members shared a simi- 
lar title: chief privacy officer, or CPO. Indeed, many — if not most — Fortune 500 com- 
panies have now appointed a chief privacy officer. But the majority of LAPP mem- 
bers are not CPOs. Rather, we have seen a robust hierarchy of professional roles 
in privacy emerge — in both the privacy and the public sectors. These privacy pros 
cover issues of compliance, product development, marketing, security, human re- 
sources, consumer response, and more. The management of privacy issues in large 
organizations now requires a broad and deep team of professionals with increasingly 
sophisticated skills. It is a hybrid profession encompassing a broad set of skills. 
Some organizations have even created job families for their privacy professionals. 
It is now a career track. 

The job of a privacy professional demands mastery of a complex set of laws, tech- 
nology, security standards, and program management techniques. In 2004, the lAPP 
introduced the first broad-based privacy certification to the US marketplace, the 
Certified Information Privacy Professional (CIPP). This credential is meant to serve 
as a demonstration of a candidate’s knowledge of a broad range of fundamental pri- 



23 


vacy concepts. To date, over 800 people have taken the exam and over 600 CIPPs 
have been granted in the US. 

In 2005, the lAPP extended the CIPP program to include issues of governmental 
privacy. The CIPP/G program covers issues specific to the public sector: such as the 
Privacy Act, eGovernment Act, Freedom of Information Act, Patriot Act, and more. 
To date, the lAPP has granted over 70 CIPP/Gs. The lAPP expects more growth in 
this sector, due to the growing importance of privacy in the public sector. This hear- 
ing reinforces that view. 

Clearly, the profession of privacy has cemented its position as a critical resource 
in any organization that deals with data — whether that data is consumer or citizen 
data, or both. Privacy professionals within DHS and the few other government agen- 
cies that have privacy offices play an important role in further our nation’s twin 
goal of protecting its citizen’s security and their rights. 

I encourage members of the committee to visit the lAPP’s website, 
www.privacyassociation.org, to learn more about the profession of privacy. And, as 
a CIPP/G myself, I strongly recommend that the committee consider the value of 
such privacy certifications as a tool to ensure privacy issues are properly identified 
and addressed in the public and private sectors. 

Operationalizing Privacy within an Organization — An Example 

One of the reasons Chairman Simmons invited me today was to provide the Com- 
mittee with a brief overview of the process private sector companies undergo to im- 
plement an effective privacy program. I believe that the steps taken by private sec- 
tor companies take to protect the privacy of personal information can easily be ex- 
trapolated to the public sector. To the best of my knowledge, these were essentially 
the same steps that the DHS Privacy Office completed in order to provide the same 
privacy protection that individuals have come to expect from all entities that collect, 
use, and share their personal information. 

I will use my own experience with Nationwide to describe for the Committee the 
basic steps necessary for any organization — either public or private — to implement 
and continue to manage its privacy responsibilities. Explaining how privacy has 
been adopted in the private sector will help illustrate the steps — including opportu- 
nities and challenges — necessary to effectively carry out a privacy program. 

First, let me give you a brief overview of Nationwide. Nationwide is a fortune 100 
company comprised of several dozen different companies and divisions that sell a 
variety of products — from auto, home, and commercial insurance to mortgages to fi- 
nancial products — such as annuities and investment funds, to retirement plans — 
such as 401k and 457 plans. Nationwide employees over 30,000 employees and has 
an exclusive sales force of just over 4,000 agents. It also sells its products and serv- 
ices through tens of thousands of independent agents, producers and brokers. De- 
spite a complex organization, we have a legal duty to safeguard our customer infor- 
mation and protect their data wherever it is stored, accessed or shared. This can 
be a daunting task without a good plan and organization. 

Nationwide began centrally managing privacy as Congress was putting the fin- 
ishing touches on the Gramm-Leach-Bliley Act (GLBA) in late 1999. As you may 
know, GLBA requires financial institutions, including banks and insurance compa- 
nies, to inform customers in an annual privacy statement how the company uses, 
protects, and shares customers nonpublic personal information. GLBA also requires 
that financial institutions safeguard customer information. It’s not enough for a 
company just to tell a customer that it is “protecting your nonpublic personal infor- 
mation” or that “access to your information is limited to employees who have a busi- 
ness need-to-know your information.” A company must have the processes and tech- 
nolo^cal controls in place to veritably support the privacy statement. 

Prior to GLBA, each entity of Nationwide managed compliance with state privacy 
laws — mainly some version of the 1982 Model National Association of Insurance 
Commissioners (NAIC) Privacy Act — independently in the 16 states where some 
version of this model had been enacted into law. To the extent possible, each com- 
pany or division managed privacy practices differently. As you can imagine, this cre- 
ated a patchwork effect with respect to privacy. Each company and division adopted 
different privacy standards and practices. Even the philosophy of privacy varied be- 
tween companies, with some companies following a very high standard for privacy 
and others following a standard that was the minimum necessary to comply with 
the law. Senior management had not articulated a uniform privacy policy and 
spread this policy throughout the organization, companies and divisions. In sum, 
there was no consistent guidance on privacy. To be fair, this situation existed be- 
cause there was no single set of national privacy laws that applied equally to every 
entity, and there was no real enforcement mechanism. 
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For the private sector, this all changed when Congress enacted the Gramm-Leach- 
Bliley Act in November 1999. Among other requirements, the GLBA effectively 
forced companies to centralize privacy management and compliance. The sheer scale 
of implementing the privacy and safeguard requirements of GLBA required a cen- 
trally coordinated office to coordinate the implementation of one corporate privacy 
policy that complied with the new set of laws. I was assigned the role of advising 
Nationwide executive leadership on a privacy policy and compliance plan and then, 
with their agreement and approval with this privacy policy and plan, to implement 
GLBA requirements throughout all Nationwide companies and divisions. 

GLBA and other federal and state privacy laws have had a positive effect on cus- 
tomers and citizens. A good example of this is that DHS probably would not have 
hired the first statutorily-required privacy officer in the federal government, Nuala 
O’Conner Kelly, if not directed to do so by law. Customers and citizens have come 
to expect that entities that use, share, or disclose their personal information should 
protect this information and should use, share, or disclose it appropriately. The fed- 
eral government appears to be coming to the same conclusion: a central office is 
needed to coordinate privacy for any large government agency, perhaps one is even 
needed to coordinate “amon^’ the federal agencies, but I will address that later. 

The Four Basic Steps of a Privacy Program 

One can find several books and a plethora of articles today about how to create 
a privacy program. Most of these are good descriptions that go into each area in 
great detail and are worthwhile reading. However, the steps in creating a privacy 
program can be summed up in the following manner. To implement a privacy pro- 
gram, any company or agency needs to follow a seemingly simple four step model: 

1. Assess, 

2. Address, 

3. Monitor and Audit, 

4. Repeat. 

Step One — Assess 

The goal in step one is to conduct dozens and dozens of assessments. The best 
way to carry out this task is to create a large cross-functional team. For example, 
in my case, I formed what we called a Virtual Privacy Team (VPT) that included 
about 40 people from across our corporation. Each Nationwide company or division 
had representation on the VPT. These team members in turn lead their own busi- 
ness unit or staff office privacy compliance team, which varied in size and scope, 
within each of the companies or divisions. By my estimation — by using this model, 
we were able to centrally manage and coordinate the activities of over 500 employ- 
ees actively working on our corporate privacy implementation during 2000-2001, 
which was the high water compliance year of us, as we worked to comply with strict 
legal and regulatory time lines. 

Basically, the objective in the first step in implementing privacy in an organiza- 
tion is to assess current processes, procedures, uses of data, etc. Any organization 
going through this process needs to conduct, among others, the following assess- 
ments: 

1. Analysis of the legal requirements. 

a. What federal or state privacy laws exist that affect the organization? 

b. What were the specific requirements for each privacy law? 

c. How were companies and divisions complying with these patchwork of 

regulations? 

2. Evaluation of existing privacy standards, practices, and philosophies. 

3. Evaluation of information security practices. 

a. Does Nationwide have an information security policy? 

b. Does it meet the standards of the Safeguard Rule (the companion infor- 
mation security regulation within GLBA)? 

c. Collection of personal information. 

d. Which areas of Nationwide are collecting personal information? 

e. What type of information is being collected? 

f Why is this type of information being collected (purpose)? 

g. Where is it stored? 

h. Is Nationwide only collecting personal information necessary to complete 

the customer’s request? 

4. Collection of Personal Information. 

a. Which areas of Nationwide are collecting personal information? 

b. What types of information is being collected? 

c. Why is this type of information being collected (purpose)? 

d. Where is it stored? 
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e. Is Nationwide only collecting personal information necessary to complete 
the customer’s request? 

5. Use of Personal Information. 

a. How is information being use? 

b. What is it being used to accomplish for the organization? 

c. Is there a legal or rational basis for each use of information? 

6. Access to Personal Information. 

a. Who can access personal information? 

b. Does everyone with access have a business need-to-know the informa- 
tion? 

c. Is access monitored? 

d. Are employees technologically capable of accessing personal information 
that they should not be able to access? 

7. Disclosure of Personal Information 

a. How is personal information shared within Nationwide? 

b. Are the principles of need-to-know enforced? 

c. Do these disclosures have a legal basis? 

8. Disclosure of Personal Information with Third Parties. 

a. Does a contract exist with all third parties that receive Nationwide infor- 
mation? 

b. Have we conducted an information security audit to determine whether 
the third party is capable of adhering to the laws that require the informa- 
tion to be protected? 

9. Data Integrity 

a. Is the data accurate and up-to-date? 

b. Is there a way for customers to access their data and valid correct errors? 

10. Management 

a. What documentation or privacy procedures exist? 

b. Is it up-to-date, accurate, and sufficient for the company of division? 

c. Does it need to change to satisfy the new law? 

d. Can it be extrapolated to the rest of the organization as a best practice? 

e. Is there anyone responsible for complying with laws and regulations? 

After going through the first assessment, which formed our legal analysis of pri- 
vacy, the VPT in conjunction with a steering committee that I chaired drafted a pri- 
vacy policy for Nationwide and a privacy statement detailing our privacy policy for 
our customers. The privacy policy was then adopted by a steering committee of sen- 
ior Nationwide executives. This became the privacy philosophy that the VPT ad- 
hered to when implementing privacy across all Nationwide companies and divisions. 
It was the foundation upon which we have built our program over these past six 
years. 

Step Two — Assess 

Over an 18-month period, as these different assessments were completed, the VPT 
concurrently analyzed the results and determined how they fit with the overarching 
privacy policy. We then addressed the key question of whether the results of the 
assessment were sufficient or did they need modifications to match the newly draft- 
ed privacy policy? This is the hallmark of step two, which is identify and address 
gaps in your processes and procedures. 

In step two, the VPT and small number of outside consultants conducted gap 
analyses between the legal requirements, the new Nationwide Privacy Policy and 
the results of the different assessments. For example, number nine in the assess- 
ment list, above, was Disclosure of Personal Information with Third Parties. To ad- 
dress this assessment, the VPT member worked with the team responsible for exe- 
cuting contracts in each company or division to evaluate the findings in the assess- 
ment against the legal requirements and Nationwide’s Privacy Policy. In some 
cases, they discovered that they could not find a copy of a contract, or that a written 
contract didn’t exist. Many contracts did not contain the new confidentiality, pri- 
vacy, and information security, language required by the GLBA. These teams identi- 
fied the gaps and developed a plan to address the gaps identified. 

The VPT then created project plans to address the gaps. Let’s use an assessment 
from earlier — Access to Personal Information. One of the items of the assessment 
was an illustration of how personal information flowed through a company or divi- 
sion. This assessment included where the personal information was stored and 
which associates could access it. 

The privacy sub-team then documented the tasks necessary to address the gap be- 
tween the assessment and both the legal requirements and Nationwide Privacy Pol- 
icy. The next step was to develop a project plan to assign the activities for each task 
and to monitor the progress. 
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Step Three — Monitor and Audit 

After the dozens and dozens of projects to address the identified gaps were fin- 
ished, we created a privacy compliance program to audit the privacy procedures that 
the teams implemented. For practical reasons, this program was created and housed 
in the Office of Privacy, because it contained the evolving set of experienced profes- 
sionals capable of carrying out these tasks. 

There are several purposes to the audit phase of privacy implementation. One 
purpose is to confirm that the privacy processes are still operating. Sometimes, 
when the novelty of a project fades, employees inadvertently regress back to old 
practices. Also, employees often change jobs and the institutional memory leaves the 
unit. Monitoring through self-assessment or more formal audits keep compliance 
issues fresh and illustrate actual privacy practices to business leaders. 

Another purpose of continuous monitoring or auditing is to determine whether a 
compliance process change is necessary as a result of a new business process. Busi- 
ness is a constantly changing environment. Audits help discover when new privacy 
processes are necessary to meet these new changes. 

Finally, informal monitoring and audits prepare companies for formal market con- 
duct audits by regulators. Regularly conducting internal audits allows business to 
understand and address privacy risks before a regulator conducts an audit. This re- 
duces the risk of regulatory enforcement and fines. 

Step Four — Repeat 

Privacy implementation never ends. Thus, the four step process is really a contin- 
uous improvement loop. This has been extremely important over the past six years, 
as each year the private sector has been faced with an ever expanding array of legis- 
lative and regulatory requirements around privacy and information security. In ad- 
dition to the changing legal landscape, a company is required to repeat the process 
to accommodate new business goals or changes to existing processes. 

In summary, this may be an overly simplistic explanation of the complex process 
of implementing privacy throughout any organization — public or private. However, 
I believe that it correctly points out the nature of the process and is easy to under- 
stand. There is one other important item to note here. None of this is possible with- 
out a clear mandate and strong support from the top of the organization. If the pri- 
vacy office lacks the support of the chief executive, whether this is a private or pub- 
lic organization, it will never be able to effectively carry out its mission. A privacy 
office without senior management support may be worse than not having a privacy 
office, because it merely provides an illusion of privacy without the reality. 

The Challenges — Balancing Competing Interests 

Earlier, I discuss the requirement for financial institutions to create a privacy 
statement, which describes how the company uses, protects, and shares customer in- 
formation. It is difficult for a large company like Nationwide to make blanket prom- 
ises to customers, because there are many competing priorities when it comes to pri- 
vacy. This is no different for the DHS Privacy Office. 

The challenges that arise while implementing privacy at Nationwide became ap- 
parent immediately. In business, information is money. At Nationwide, the more a 
division knows about an individual, the better the company can protect the financial 
needs of the individual. However, certain laws or contractual obligations between 
parties often make it difficult to “know” everything about a customer. It is equally 
true in both the private and public sectors. 

Let me give you an example of how this can impact a company: 

Susan works for a municipality and has a 457 deferred compensation plan with 
Nationwide that she obtained through her employer — a municipal government — 
whose relationship is with an independent producer under contract to Nationwide. 
Susan also has a Nationwide Insurance Agent through whom she purchased auto 
and homeowners insurance. Susan trusts her Agent to help her protect her financial 
assets — specifically, her house and her car. One day, Susan visits her agent and 
says that she has accepted a new job with a private company and is moving to a 
new city. Based on this scenario, one can see that Susan has at least three financial 
needs: 

1. Change her auto insurance to a new state; 

2. Change her homeowners insurance to the new state and residence; 

3. Consider options for the assets in her 457 plan. 

Today, the Agent can help Susan with the first two of her three financial needs. 
It would help Susan the most if the Agent could also look up the details of her 457 
plan and provide this information to a licensed Nationwide broker to help Susan un- 
derstand options for getting the most out of her 457 plan after she moves to a new 
job. But, for a variety of legal reasons, the outcomes of privacy implementation at 
Nationwide prevent this from occurring. The Agent does not have access to — nor 
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does he even have knowledge of — Susan’s 457 plan information and, thus, he cannot 
help her consider options after she changes jobs. 

I bring up this simple example to illustrate the challenges with implementing pri- 
vacy. With every assessment, task to address a gap, or audit, there are three com- 
peting factors vying for the most beneficial outcome from their perspective. These 
include: 

1. The business need for quick access to abundant amounts of personal informa- 
tion. Remember, information is money. The business cannot succeed without 
personal information. 

2. The customer expectation. The customer wants the product or service that 
purchased or contracted for. The customer also has high expectations for how 
they want companies to manage and use their information. In short, they want 
it locked in a vault stronger than Fort Knox. But at the same time, they want 
Nationwide to be able to access it via phone, e-mail, Internet, or Agent 24 hours 
a day, seven days a week. They also expect to be provided additional products 
or services that can either save them or make them money. These are in and 
of themselves other competing interests for companies to manage. 

3. The privacy regulations. Like all regulations, they serve a good purpose, in 
this case: protect individual investors or insured. But, they also come with unin- 
tended consequences, just like Susan’s example from above. 

As you can see, the job of a Privacy Officer is to help balance these three com- 
peting interests, like a carpenter of a three-legged stool. Picture a three-legged stool. 
The benefit of having three legs instead of four is that each leg can be a slightly 
different length, yet the stool will still function as a stool, even if it is a little lop- 
sided. Because, in the end, it rarely happens that each leg of the stool — each of the 
three competing interests — is exactly equal. Generally, they are different. Some- 
times, the privacy regulation is a bit longer, meaning the most important interest 
in a given business project. Other times, the interest of the customer or the business 
is given a slightly greater importance. But, the stool still functions as a stool. 

This is no different for the DHS Office of Privacy. Ms. Cooney, her predecessor 
and those who will follow her, has also been asked to become a carpenter of a three- 
legged stool. But, in the DHS Privacy Office’s case, the three competing interests 
are: 

1. Government’s responsibility for security, including responsibilities under the 
Homeland Security Act, the Aviation and Border Security Acts, and others 

2. Individual privacy expectations; 

3. The Privacy Office’s responsibilities under Section 222 of the HAS, the Pri- 
vacy Act, the Freedom of Information Act, and other competing and compatible 
privacy laws. 

Listing the challenges that arise when implementing privacy is easy; resolving 
them takes time and resources and the power to effectuate the necessary change. 
It is a constant balancing act often with different outcomes each time an issue 
arises. It is hard to argue that the DHS Privacy Office is not faced with tremendous 
challenges in this area, as they balance the nation’s collective security interests 
against the individual’s interest in privacy. 

A Very Brief Analysis of the DHS Privacy Office 

Now, compare and contrast the process that I have just described to the DHS’ Pri- 
vacy Office: assess, address, audit, and repeat. All four steps must be tailored to 
government processes and then followed in the DHS for the Privacy Office to meet 
the requirements set forth by the Homeland Security Act, the Privacy Act, and sev- 
eral other laws regulating the government’s use of personally identifiable data. Con- 
sider also the discussion about balancing important competing interests within an 
organization. 

As you know, the Homeland Security Act (HSA) of 2002 authorized the formation 
of the Department of Homeland Security and the addition of a secretary to the 
president’s cabinet to oversee the new department. Among other things, the Home- 
land Security Act also provides that the Secretary “shall appoint a senior official in 
the Department to assume primary responsibility for privacy policy, including: 

(1) assuring that the use of technologies sustain, and do not erode, privacy pro- 
tections relating to the use, collection, and disclosure of personal information; 

(2) assuring that personal information contained in Privacy Act systems of 
records is handled in full compliance with fair information practices as set out 
in the Privacy Act of 1974; 

(3) evaluating legislative and regulatory proposals involving collection, use, and 
disclosure of personal information by the Federal Government; 
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(4) conducting a privacy impact assessment of proposed rules of the Department 
or that of the Department on the privacy of personal information, including the 
type of personal information collected and the number of people affected; and 

(5) preparing a report to Congress on an annual basis on activities of the De- 
partment that affect privacy, including complaints of privacy violations, imple- 
mentation of the Privacy Act of 1974, internal controls, and other matters.” 

To operationalize its legislative mandate, the DHS Privacy Office developed a Mis- 
sion Statement that states the mission of the DHS privacy office is to minimize the 
impact on the individual’s privacy, particularly the individual’s personal information 
and dignity, while achieving the mission of the Department of Homeland Security.” 
The mission goes on to state — and I am summarizing here — that the Privacy Office 
will achieve this goal through: 

1. education and outreach efforts to infuse a culture of privacy across the de- 
partment, 

2. communicating with individuals impacted by DHS programs to learn more 
about the impact of DHS policies and programs, and, 

3. Encouraging and demanding adherence to privacy laws. 

Anyone who reads this Mission can see that the DHS Privacy Office is faced with 
the exactly same opportunities and challenges that any privacy office, including 
mine, faces every day — but on a much, much larger scale, and with a completely 
different risk dynamic. At Nationwide, my office is responsible for educating employ- 
ees and establishing a culture of privacy, resolving the natural conflicts that occur 
with business interests in regard to this concept of privacy, and requiring adherence 
to privacy laws. There would appear to be little difference between my mission and 
the mission of the DHS Privacy Office. 

Nevertheless, one wonders whether the DHS Privacy Office has the budget, staff 
and institutional authority to adequately carry out its mission. I will address some 
of these concerns in my recommendations and considerations below. In fact, the 
DHS Privacy Office has done a wonderful job working with the limited resources 
made available to it. They have done many of the assessments of existing DHS pro- 
grams and appear to be integrated into the planning and review processes for future 
programs or programs under development. They have addressed most of the gaps 
discovered through their initial assessments. They also have a nascent employee pri- 
vacy education component, although it lacks adequate funding. Where they could 
probably use the most assistance and resources is with operating their ongoing mon- 
itoring and audit function. This function is in its infancy and is inadequately 
staffed. Even if it were adequately staffed, it is doubtful that the Privacy Office has 
the legal authority to conduct the type of deep analysis necessary to ensure ongoing 
adherence to privacy laws. This incongruity is addressed further under my rec- 
ommendations, below. 

In sum, the Privacy Office is well organized and understands what it needs to do 
to carry out to meet its objectives. Its staff is highly motivated and experienced. 
However, they may lack support from the top and they clearly lack the financial 
resources necessary to effectively do the job Congress directed them to perform 
through Section 222 of the HSA. 

Recommendations and Items for Consideration 

While there are always risk assessments and balancing tests between privacy and 
other interests that must occur whether one is working in a public or private sector 
privacy capacity, there are still a few things that Congress should consider to make 
it more likely tbat our nation’s privacy laws are not violated. Therefore, I respect- 
fully submit the following for the Committee to consider as it defines its future 
agenda: 

1. Strengthen the Statutory Authority of the DHS Privacy Office. The Privacy 
Office should have a clear and direct reporting line to Congress. If Congress is 
uncomfortable with Inspector General-like powers, then consider taking a half- 
measure and give the Privacy Office ombudsman-like power. Burying the office 
inside DHS means that it will never have the authority or respect it needs to 
carry out its mandate. The Privacy Office will rarely be able to act independ- 
ently, and it will spend more time merely trying to survive politically than it 
will carrying out its mission to protect our citizens’ privacy. 

2. The DHS Privacy Office should have a larger budget to carry out its critical 
mission. The current $4.3 million budget does not on its face appear sufficient 
in light of DHS’ overall budget to protect the privacy of all Americans. The dif- 
ference between this year and last year’s budget is only an increase of a few 
hundred dollars. I would doubt that any other area of DHS saw this paltry of 
an increase in its budget. 
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3. Congress should consider adding Chief Privacy Officers and Privacy Offices 
to all federal agencies, or at least those that generally collect and process per- 
sonal information on citizens. Congress may even want to consider creating a 
Federal Data Commissioner, similar in authority and scope to those existing in 
the nations of the European Union. The Data Commissioner could either be the 
first among equals, or it could be the overarching policymaking body for enforc- 
ing all federal data processing. This body would have inspector general powers. 

4. Transparency in information processing is fundamental to the role that the 
Privacy Office plays. The Freedom of Information Act Office needs to stay con- 
nected to the Privacy Office, because this is the Privacy Office’s single real con- 
nection to its customers, namely U.S. citizens. One of the hallmarks of fair in- 
formation practices is the ability of citizens or customers to know what informa- 
tion an entity has on them and have the ability to correct any erroneous infor- 
mation. This is simple due process and improves the integrity and accuracy of 
any organization’s data. This role is naturally played the Privacy Office. 

6. DHS should quickly appoint an official replacement for Nuala O’Connor 
Kelly, who left many months ago. The Acting Privacy Officer, Maureen Cooney, 
is doing a very capable job and should be seriously considered as the official re- 
placement. However, the optics of not having an official replacement devalues 
the Privacy Office politically and organizationally. It indicates the job being ca- 
pably performed by the staff may not be seen as worthy by senior department 
and administration officials as other areas in DHS and this undercuts the Pri- 
vacy Office’s authority. 

Conclusion 

I hope that my testimony helped illustrate the large effort, cost, and authority 
necessary for a corporation to effectively implement a privacy office. In order for the 
DHS Office of Privacy to effectively carryout its statute-defined requirements, it will 
need resources and the authority to implement a privacy program that balances the 
requirements of law, the responsibility of the government to protect its citizens, and 
the individual right of privacy. 

Additionally, as I stated above, no privacy office can be successful without clear 
and strong support from the top. If support from the chief executive is absent, the 
privacy function will never be able to effectively carry out its mission. In fact, tr 3 ring 
to perform a privacy function without senior management support may be worse 
than not doing anything with privacy, because it provides an illusion of privacy 
without the reality of having any. 

Thank you for inviting me to speak with you this morning. I would be happy to 
answer any questions that you may have. I would also be more than happy to speak 
with you again or to work with you and your staff on any privacy issue. 

Mr. Simmons. Thank you very much. 

And now the chair recognizes Professor Turley. 

We have your statement in the record this morning. If you can 
summarize in 5 minutes, that would he appreciated. And we look 
forward to hearing what you have to say. 

STATEMENT OF JONATHAN TURLEY, SHAPIRO PROFESSOR OF 
PUBLIC INTEREST LAW, GEORGE WASHINGTON LAW SCHOOL 

Mr. Turley. Thank you, Mr. Chairman. I will do my very best. 

Mr. Simmons. If I could just say, I had a seminar at Yale that 
was 2 hours, but since I have come to Congress, my colleagues 
have not allowed me to take that amount of time. 

Mr. Turley. A most enlightened institution for that reason. 

Mr. Chairman, members of subcommittee, thank you very much 
for allowing me to speak on this important issue today of privacy 
and Homeland Security. And, of course, they are not separate 
issues. When we talk about Homeland Security, it is privacy that 
we are protecting. It is one of our core values. It defines us as a 
people. 

Now, the DHS represents, for privacy advocates like myself, 
something of a concern just by its mere size and the myriad of 
functions that it has taken on. Due to its size and those functions. 
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it has a much greater impact on privacy. It affects the lives of 
Americans more than any other agency, because it is the agency of 
first contact for most Americans when it comes to airports and im- 
migration and customs and disaster relief. So to the extent that 
DHS does not respect the privacy interest, it has the greatest im- 
pact upon citizens. 

The other problem and concern for the DHS for many privacy ad- 
vocates is that it is much like a governmental iceberg, that even 
though you see the DHS or at least its counterparts in your daily 
life, 90 percent of the agency remains below the surface, and so 
there is a lack of transparency. And privacy is often protected by 
the fact of transparency in government, the greater transparency, 
the greater protection of privacy because it tends to deter mis- 
conduct, and you don’t have the abuses at all rather than having 
to chase them down through oversight committees. 

Now, of course, privacy is protected in the Constitution. It is pro- 
tected by various statutes, and for much of our history, it was pro- 
tected by practical limitations. Probably the greatest protection of 
privacy was that the government could not engage in surveillance 
of a large number of people at one time. 

In the last two decades, we have seen that technological barrier 
fall as we saw with DARPA and the TIA program. We now have 
the ability to follow Americans in real time. That is something the 
framers would never have anticipated, and it is why privacy is very 
much under threat. 

The greatest concern for privacy is uncertainty, that is uncer- 
tainty is the scourge of privacy. Privacy is based upon an inception 
that your privacy will be recognized. To the extent that you are un- 
certain, you have a chilling effect, and that affects how people live 
their lives. And DHS recently was found to have one of the lowest 
privacy scores in a 2006 study. 

I have gone through the myriad examples of threats to privacy 
that relate to DHS, but much of my testimony deals with the NSA 
operation. Now the problem with the NSA operation is really two- 
fold. 

One — and let me put this as simply as I can — it is based on a 
crime. Now, the overwhelming majority of experts in this field — Re- 
publicans and Democrats — are pretty uniform in this conclusion. It 
is inescapable. 

There is an exclusivity provision in federal law. You cannot do 
what the president ordered his subordinates to do. If I thought that 
this was a close question, I think I have a reputation of going right 
down the middle on questions that are debatable. This is a crime. 
It was ordered 30 times by the president, and he stated that he 
will continue to order it. 

It gives me no pleasure to say that. And I am not talking about 
his motivation. But often, people act for the best motivations with 
the worst possible means. 

My testimony lays out why this is a criminal act, and that pre- 
sents a serious problem for DHS. I do believe this committee has 
jurisdiction over this question. This committee has a liaison func- 
tion with intelligence agencies. It governs intelligence information 
gathering that relate to DHS entities. It has a role in intel; it looks 
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at the role of Intel in threat prioritization in its oversight function. 
It is the recipient of information. 

After post-9/11, there is a mandate that agencies share informa- 
tion. The expectation is that Homeland Security is either the direct 
or indirect recipient of NSA information. That creates, not just the 
danger of DHS officials participating in a criminal enterprise, but 
it creates the specter of the fruit of the poisonous tree where activi- 
ties of DHS may be undermined because of their reliance on unlaw- 
fully gathered information. 

I know that my time is out, but I have listed towards the end 
of my testimony various proposals that can help protect privacy. 
But there is one that I just wish to emphasize. All of us, I believe, 
as Americans, have a faith in privacy. We know how important it 
is. I know the chairman has valued that. We have discussed that. 
But we cannot remain silent, because silence is a choice. 

The NSA operation represents a serious threat to privacy and a 
serious threat to our constitutional values. And I hope that this 
committee will assert its authority — I know the chairman has at- 
tempted to do so — ^but will be vigorous in asserting its authority to 
hold hearings on the NSA operation and not to be deterred by any 
past refusals. 

Thank you so much, sir. 

[The statement of Mr. Turley follows:] 

Prepahed Statement of Professor Jonathan Turley 

Chairman Simmons, Representative Lofgren, members of the Subcommittee, 
thank you for allowing me to appear today to testify on the important issues of pri- 
vacy and homeland security. 

I come to this subject with prior work as both an academic and a litigator in the 
areas of national security and constitutional law. As an academic, I have written 
extensively on electronic surveillance as well as constitutional and national security 
issues. I also teach constitutional law, constitutional criminal procedure and other 
subjects that relate to this area. As a litigator, I have handled a variety of national 
security cases, including espionage and terrorism cases. I am appearing today, how- 
ever, in my academic capacity to address important issues related to domestic sur- 
veillance and homeland security. 

I. GENERAL PRIVACY CONCERNS RAISED BY POST 9-11 
SURVEILLANCE AND ENFORCEMENT. 

The Department of Homeland Security (DHS) is the agency with the greatest abil- 
ity to erode privacy since it has the dominant role, with the Federal Bureau of In- 
vestigation (FBI), in domestic enforcement activities. Due to its size and diverse 
functions, the DHS has a much greater impact on privacy than any other agency. 
The DHS affects the lives of Americans to a far greater extent than most agencies 
because it has a far greater number of contacts with citizens in their everyday lives 
from airport security to disaster relief to immigration to customs. The DHS is not 
just a massive agency, it is a massive consumer of information from other agencies, 
state governments, private contractors, and private citizens. While the FBI is sub- 
ject to criminal procedures and routine court tests, DHS is like a government ice- 
berg with ninety percent of its work below the visible surface. This general lack of 
transparency makes it easier for abuses to occur by reducing the risk of public dis- 
closure and review. 

At risk is something that defines and distinguishes this country. Privacy is one 
of the touchstones of the American culture and jurisprudence. Indeed, it is a right 
that is the foundation for other rights that range from freedom of speech to freedom 
of association to freedom of religion. The very sanctity of a family depends on the 
guarantee of privacy and related protections from government interference. 

Privacy is protected by the Constitution, including but not limited to the protec- 
tions afforded by the Fourth Amendment. It is also protected in various statutes, 
such as the Privacy Act of 1974; E-Government Act of 2002, and the Federal Infor- 
mation Security Management Act of 2002 (FISMA). Further protections can be 
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found in the substantive and procedural requirements of surveillance laws such as 
Title III and the Foreign Intelligence Surveillance Act (FISA). 

Finally, there have long been practical protections of privacy. Until recent techno- 
logical advances, there were practical barriers for the government to be able to con- 
duct widespread surveillance on citizens. However, it is now possible to track citi- 
zens in real time with the use of advanced computers as recently made clear by the 
disturbing Terrorism Information Awareness (TLA) project of Defense Advanced Re- 
search Projects Agency (DARPA). These new technological advances constitute an 
unprecedented threat to privacy. Agencies like DHS often naturally gravitate to the 
accumulation of greater and greater information. Technology now allows these agen- 
cies to satiate that desire to a degree that would have been unthinkable only a cou- 
ple of decades ago. 

Despite these protections, privacy remains the most fragile and perishable of our 
fundamental rights. When pitted against claims of national security, privacy is often 
treated as an abstraction and government officials offer little more than rhetorical 
acknowledgement of privacy concerns in their programs and policies. The resulting 
uncertainty is the very scourge of privacy. Privacy depends on a certain expectation 
of citizens that they are not being watched or intercepted. When uncertain of the 
government’s effect that inhibits the exercise of free speech and other rights. 

The uncertainty over privacy is clear in recent polls and studies. Notably, the 
DHS receives one of the lowest scores on the privacy question. The 2006 Privacy 
Trust Study of the Ponemon Institute gave the DHS only a 17 percent score, down 
by 10 percent from the previous year. 

This freefall is more than a public relations problem. Our constitutional test for 
privacy under the Fourth Amendment is based on “the reasonable expectation of 
privacy” under the Katz doctrine. To the extent that a citizen has a reasonable ex- 
pectation of privacy, the government is usually required to satisfy a higher burden, 
including the use of a warrant for searches. The Katz test has now created a certain 
perverse incentive for government. As agencies like DHS reduce that expectation of 
privacy in the public, it actually increases the ability of the government to act with- 
out protections like warrants. The result is a downward spiral as reduced expecta- 
tions of privacy lead to increased government authority which lead to further re- 
duced expectations. 

Privacy concerns after 9-11 have grown with each year in the war on terror. There 
is a pervasive view that the Administration is wielding unchecked and, in some 
cases, unlawful authority in the war on terror. In areas that range from enemy com- 
batant detentions to warrantless domestic surveillance programs to data mining of 
private records, the chilling effect for privacy and civil liberties has become posi- 
tively glacial for many citizens, particularly citizens of the Muslim faith or Middle 
Eastern descent. 

Just in the last few months, Congress has faced a remarkably wide range of 
issues that directly threaten privacy rights and civil liberties. It is regrettably a long 
and lengthening list. Today, in the interests of time, I wanted to focus on a few of 
the most recent controversies to show how privacy rights and civil liberties are erod- 
ed by the aggregation of otherwise disparate and insular programs. While these ex- 
amples may appear unrelated, they each impact privacy rights and civil liberties in 
significant ways. The point that I wish to convey is that privacy is being under- 
mined in a myriad of ways and that any effort to protect this right will have to be 
equally comprehensive. 

a. The Failure to Comply with Privacy Standards, including the Use of 
Reseller Information That Lack Fair Information Practices. As shown re- 
cently by the GAO, the DHS is using an increasing amount of data from infor- 
mation resellers that lack critical protections and fair information practices. The 
recent misuse of 100 million personal records in alleged violation of the Privacy 
Act typifies this concern. 

h. Over-classification and Reclassification Efforts. The Administration has 
led a serious rollback in the efforts to gain greater transparency in government 
by over-classifying and reclassif 3 dng basic documents and information. Agencies 
like DHS can prevent disclosure of misconduct or negligence by using classifica- 
tion rules to avoid review. 

c. Registered Traveler Programs. The DHS continues to encourage the cre- 
ation of registered traveler programs that would assemble a databank of pre- 
screened passengers. Whether run privately or governmentally, these programs 
offer illusory security but present serious threats to civil liberties. 

d. Failure to inform Congress of Surveillance Programs like the NSA 
operation. One of the greatest protections of civil liberties is the separation of 
powers doctrine and its inherent system of checks and balances. The failure to 
inform the members of Congress, particularly the full committee membership 
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of the intelligence committee, of ongoing intelligence activities negates any 
meaningful oversight functions. 

e. New Threats Against Whistleblowers. Legislation to increase penalties 
for federal whistleblowers is a startling reaction to the disclosure of unlawful 
activity. This is exemplified by the proposed increase in penalties for officials 
seeking to disclose unlawful activity under the NSA domestic surveillance pro- 
gram. Likewise, the continued refusal of Congress to pass a federal shield law 
for journalists can only be seen as an intentional deterrent for whistleblowers. 
When an official at DHS is aware of an unlawful program, the media may be 
the only effective way to stop the illegality. 

These are a few of the most recent examples of how privacy rights and civil lib- 
erties protections are being pummeled across a long spectrum of insular govern- 
mental policies and programs. If Congress truly wants to protect privacy, it 
must deter threats by increasing both the likelihood of disclosure of unlawful 
conduct and the penalties for such conduct. This requires greater transparency 
in agencies like the DHS, better oversight in Congress, and fuller protection for 
those who seek to disclose misconduct. 

II. THE NSA DOMESTIC SURVEILLANCE PROGRAM 

The recent NSA operation brings together many of the most dangerous elements 
discussed above: lack of congressional oversight, the violation of federal law, the 
pursuit of whistleblowers, and finally the absence of any meaningful action from 
Congress. In terms of privacy rights, the NSA operation also presents the most seri- 
ous attack on the guarantees that are essential for the exercise of the full panoply 
of rights in the United States. 

The disclosure of the National Security Agency’s (NSA) domestic sp3dng operation 
on December 16, 2005 has created a constitutional crisis of immense proportions for 
our country. Once a few threshold, and frankly meritless arguments of legality are 
stripped away, we are left with a claim of presidential authority to violate or cir- 
cumvent federal law whenever a president deems it to be in the nation’s security 
interests. As I made clear in a January hearing, these claims lack any limiting prin- 
ciple in a system based on shared and limited government. It is antithetical to the 
very premise of our constitutional system and values. 

This is, of course, not the first time that President Bush or his advisers have 
claimed presidential authority to trump federal law. In its infamous August 1, 2002 
“Torture Memo,” the Justice Department wrote that President Bush’s declaration of 
a war on terrorism could “render moot federal law barring torture.” The Justice De- 
partment argued that the enforcement of a statute against the President’s wishes 
on torture “would represent an unconstitutional infringement of the president’s au- 
thority to conduct war.” 

The President also assumed unlimited powers in his enemy combatant policy, 
where he claimed the right to unilaterally strip a citizen of his constitutional rights 
(including his access to counsel and the courts) and hold him indefinitely. 

On December 30, 2005, President Bush again claimed authority to trump federal 
law in signing Title X of the FY 2006 Department of Defense Appropriations Act. 
That bill included language outlawing “cruel, inhumane or degrading treatment” of 
detainees, such as “waterboarding”, the pouring of water over the face of a bound 
prisoner to induce a choking or drowning reflex. In a signing statement. President 
Bush reserved the right to violate the federal law when he considered it to be in 
the nation’s interest. 

The NSA operation, however, is far more serious because the President is claim- 
ing not just the authority to engage in surveillance directly prohibited under federal 
law, but to do so domestically where constitutional protections are most stringent. 
The scope of this claimed authority is candidly explained in the Attorney General’s 
recent whitepaper, “Legal Authorities Supporting the Activities of the National Se- 
curity Agency Described by the President.” As I noted in the prior hearing, it is a 
document remarkable not only in its sweeping claims of authority but its con- 
spicuous lack of legal authority to support those claims. It is also remarkably close 
to the arguments contained in the discredited Torture Memo. 

The vast majority of experts in this field have concluded that the NSA program 
is unlawful. Even stalwart Republican members and commentators have rejected its 
legality. It is an inescapable conclusion. Under Section 1809, FISA states that it is 
only unlawful to conduct “electronic surveillance under color of law except as au- 
thorized by statute.” The court in United States v. Andaman, 735 F.Supp. 1469 
(C.D. Cal. 1990), noted that Congress enacted FISA to “sew up the perceived loop- 
holes through which the President had been able to avoid the warrant requirement.” 

FISA does allow for exceptions to be utilized in exigent or emergency situations. 
Under Section 1802, the Attorney General may authorize warrantless surveillance 
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for a year with a certification that the interception is exclusively between foreign 
powers or entirely on foreign property and that “there is no substantial likelihood 
that the surveillance will acquire the contents of any communications to which a 
United States person is a party.” 

No such certification is known to have occurred in this operation. Nor was there 
an authorization under Section 1805(f) for warrantless surveillance up to 72 hours 
under emergency conditions. Finally, there was no claim of conducting warrantless 
surveillance for 15 calendar days after a declaration of war, under Section 1811. 

The NSA operation was never approved by Congress. Moreover, the Administra- 
tion’s attempts to use the Authorization for Use of Military Force, Pub. L. 107-40, 
115 Stat. 224 (2001), as such authorization is beyond incredible, it is 
unfathomable.With no exceptions under the Act, the NSA operation clearly con- 
ducted interceptions covered by the Act without securing legal authority in violation 
of Section 1809. 

The NSA operation is based on a federal crime ordered by the President not once 
but at least 30 times. Indeed, in his latest State of the Union Address, President 
Bush pledged to continue to order this unlawful surveillance. A violation of Section 
1809 is “punishable by a fine of not more than $10,000 or imprisonment for not 
more than five years, or both.” Likewise, an institutional defendant can face even 
larger fines and, under Section 1810, citizens can sue officials civilly with daily dam- 
ages for such operations. 

The DHS is likely a recipient — directly or indirectly — of the information gathered 
under this unlawful program. In my view, government officials participating in this 
program are participating in an ongoing criminal enterprise. The DHS officials have 
an independent obligation to determine if this program is lawful and to refuse to 
participate on any level with the program if it is viewed as unlawful. This includes 
the receipt or use of intelligence. Moreover, to the extent that federal courts deter- 
mine that this operation is unlawful, the incorporation of the intelligence in DHS 
investigations or enforcement may ultimately result in undermining those activities. 
Under a classic “fruit of the poisonous tree” theory, the use of this tainted intel- 
ligence can taint any information gathered as a result of its use. 

Putting aside the questions of criminality, the NSA operation jeopardizes basic 
privacy guarantees. First, it shows an unchecked and unilateral exercise of presi- 
dential authority. Second, the conspicuous absence of congressional oversight has 
destroyed any faith in a legislative check on such authority. Finally, it created un- 
certainty for citizens as to their guarantees of privacy and civil liberties under this 
program or other undisclosed programs. 

III. WHAT CAN BE DONE? 

Just as there are a myriad of threats to privacy, there are a myriad of possible 
measures to protect privacy interests. The most significant protections often come 
in the form of protecting those who would reveal violations while deterring those 
who would commit the violations. Such reforms include the following: 

a. Investigation of the NSA domestic surveillance program with public hearings. 

b. Strengthening of whistleblower protections, particularly for employees at de- 
fense, intelligence, and homeland security agencies. 

c. Strengthening laws on data mining and data sharing by agencies, including 
meaningful deterrents for agencies like DHS that violate the Privacy Act and 
other statutory protections. 

d. Reverse the trend toward reclassification and over-classification of documents 
that decreases the transparency of government by enacting new avenues to 
challenges overbroad assertions of classified status. 

e. The Congress should prohibit not simply a government-run registered trav- 
eler system but a private-run system. The DHS support for a pilot program in 
Orlando should be ended by barring the expenditure of any federal funds and 
prohibiting the incorporation of such a program into TSA airport security sys- 
tems. 

f. Congress should require compliance with conferral rules on all intelligence op- 
erations (other than covert activities) so that all members of the intelligence 
committees are informed of operations like NSA’s domestic surveillance pro- 
gram. 

g. A new system of privacy officers should be established so that every major 
office in agencies like DHS have a privacy officer who will be responsible for 
training, enforcing, and certifying compliance with federal privacy laws. 

h. Enhancing the authority and funding for the DHS Privacy Officer. While 
Congress created this position in the Homeland Security Act of 2002, there is 
a widespread view that the privacy officer needs greater authority and access 
as well as more resources to police the programs of this massive agency. The 
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slow response of the DHS to establish this office indicates a lack of internal sup- 
port of the model of an independent internal watchdog office. For this reason, 
changes should include a reporting requirement not only to the DHS but di- 
rectly to Congress. 

i. Congress should pass a federal shield law for journalists, as has virtually 
every state. Increasing legal threats for journalists, including contempt rulings, 
presents an obvious deterrent to any whistleblower seeking to disclose unlawful 
conduct. 

j. Congress should require an annual report, with regular public hearings, on 
privacy matters to identify emerging threats to privacy and possible legislative 
solutions. 

IV. CONCLUSION 

These threats to privacy rights and civil liberties have created not just a constitu- 
tional crisis but a test for every citizen. Our legal legacy was secured at great cost 
but it can be lost by the simple failure to act. The President is right: these are dan- 
gerous times for our constitutional system. However, it is often the case that our 
greatest threats come from within. Indeed, Justice Brandeis warned the nation to 
remain alert to the encroachments of men of zeal in such times: 

Experience should teach us to be most on our guard to protect liberty when the 
Government’s purposes are beneficent. Men born to freedom are naturally alert 
to repel invasions of their liberty by evil-minded rulers. The greatest dangers 
to liberty lurk in insidious encroachments by men of zeal, well-meaning but 
without understanding. 

Citizens, let alone congressional members, cannot engage in the dangerous delu- 
sion that they can remain silent and thus remain uncommitted in this crisis. Re- 
maining silent is a choice; it is a choice that will be weighed not just by politics 
but by history. 

Thank you for the opportunity to speak with you today and I would be happy to 
answer any questions that you might have at this time. 

Mr. Simmons. And thank you very much for that testimony. We 
very much appreciate that. 

General Hughes, welcome back, and we look forward to your tes- 
timony. 

LIEUTENANT GENERAL PATRICK HUGHES, USA (RET.), VICE 
PRESIDENT OF HOMELAND SECURITY, L-3 COMMUNICATIONS 

General Hughes. Well, thank you. As you said, my testimony is 
contained in my written input. I appreciate the chance to appear 
before you today. 

I would like to express my views in a very simple form rapidly. 
I believe in protected rights of all persons in the United States ex- 
pressed in law, including, certainly, the right to privacy. 

Within the law, I think we are compelled under the conditions 
we now live in to collect information, analyze it, and produce utility 
information to perform the mission of protecting our nation and our 
citizens and residents. 

In the process of acquiring and providing information for this 
utility, we must discover and preclude terrorism. We simply cannot 
afford to have terrorist acts of the kind that we know could occur 
here in the United States. 

I also am mindful that much of the work of the Department of 
Homeland Security is focused on other crimes, crimes that are not 
terrorist in nature but are associated perhaps and are crimes of na- 
tional security implications. 

So much of what they do and what we expect from them as citi- 
zens has to do with criminal acts under the law as currently con- 
stituted. 

The use of this acquired information is important. It must be 
used legally to discover these acts or this plan and conspiracy 
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ahead of time in an attempt to preclude it. And that is really a 
very difficult goal under the complicated conditions that we now 
heard about from testimony this morning and that you know so 
very well, because you have lived there. 

I don’t think I am qualified to offer exact recommendations with- 
in constitutional law or within civil law and criminal law in this 
country, but I am a person who has practiced the effort to do this 
work here in the United States and overseas, and we must find 
some balance between protecting the rights of our citizens and our 
residents and countering the planned and indeed engaged acts of 
terrorists and criminals which do threaten our security, and in 
some cases, perhaps, our existence as we know it. 

Thank you very much. 

[The statement of General Hughes follows:] 

Prepared Statement of Patrick M. Hughes 
April 6, 2006 

Representative Simmons, Representative Lofgren, Members of the Sub-Committee 
on Intelligence, Information Sharing and Terrorism Risk Assessment: 

Thank you for the invitation to appear before you on the subject of “Protection 
of Privacy in the DHS Intelligence Enterprise.” I am appearing today as a private 
United States citizen, although it is noteworthy that from November 2003 until 
March 2005, during the early formative and developmental stages of the Depart- 
ment of Homeland Security, I was the Assistant Secretary for Information Analysis 
in the Information Analysis and Infrastructure Protection Directorate of DHS. Since 
then I have continued my interest and work in matters dealing with homeland secu- 
rity, homeland defense and intelligence related to homeland security on both profes- 
sional and personal levels. Prior to this period I served for more than 35 years in 
the US Army and from 1999 until 2003 as a private consultant to both government 
and industry. 

Because of this background I was asked to come here to give my views on issues 
that relate to the protection of privacy and really the protection and assurance of 
legal and procedural rights of Americans in the context of intelligence gathering and 
production of information that can be acted upon by those who work to protect the 
lives and property of our citizens. This “operationalization” of intelligence — espe- 
cially where it concerns persons who are residents of the US, including those who 
have full rights of citizenship, is vital to understanding my views. We have all 
learned, through bitter experience that we must seek to interdict, to preclude, to 
stop — impending acts of terrorism, before they occur, because that is the right thing 
to do. It is an imperative of all who serve our nation. In this modern era of the po- 
tential for the application of weapons with mass effects, we simply cannot afford to 
allow the commission of terrorism because we cannot bear the price and we cannot 
afford the consequences. 

Indeed, the toll that crime with homeland security implications takes on our social 
order each day, and the results of catastrophic disasters — which we have recently 
suffered through on a scale not experienced before — also affect my view of what we 
should protect and what we should abrogate when human heings become involved 
in these events. As we look to the future — in my view — we can anticipate the wors- 
ening of these conditions. 

My views have been formed in the crucible of combating the Viet Cong Infrastruc- 
ture in Vietnam; in seeking to discover acts of espionage and subterfuge during the 
Cold war; in ferreting out the meaning of North Korean activities; in engaging in 
the smaller hut vexing conflicts of recent years, including the hunt for War crimi- 
nals and insurgent groups in Bosnia, our attempts to decipher the tribal groups of 
Somalia, and our best efforts to break the erosive conditions found in places like 
Panama and Haiti. My views, like yours, have been formed in the crucible of 9-11 
and in the conditions and events of the post-9- 11 period in which many terrorist at- 
tacks and crimes with homeland security impact have occurred albeit primarily 
overseas. Here too — we must anticipate the future. New threats are on the horizon. 

My views are simple — yet found in the very complex context of today’s problems 
and circumstances. 



37 


My view is that we must engage in the collection of necessary information about 
persons of concern in order to discover conspiracy and intent that should be — that 
must be — interdicted in order to forestall an unacceptable condition, under the law. 

If we fail to interdict we must act in a similar fashion to understand that which 
we failed to stop and to know with certainty who or what was responsible for the 
event — so that we can learn and so that we can attribute both blame and appro- 
priate action in light of that blame. 

My view is that we should not violate the rights of American citizens in engaging 
in such activities, but rather that we should seek a legal finding of necessity under 
the law as rapidly as possible — before we abrogate any rights for the greater good. 

My view is that we must create a mechanism that provides for very rapid re- 
sponse (minutes to hours) to the legal tests of suspicion and probable cause to en- 
gage in both information collection and operational action — before the passage of 
time and the changing of circumstances results in the loss of our opportunity to act 
to prevent a catastrophe. 

My view is that we must provide for a degree of information collection, analysis, 
storage and production necessary to support analysis and operational decisions. 
Without this functional ability we cannot do the job. This capability — of necessity — 
must include intelligence, law enforcement, judicial organizations, the military and 
elements of governance and must be empowered through a form of secure interoper- 
ability that protects the security of the information and the rights of the persons 
involved. 

My view is that the government should have the right to compel any person — 
no matter who they are or what their legal status is — to provide dependable assured 
identification to appropriate authorities in appropriate conditions, like travel via 
mass transportation conveyances. Similarly we should have the right to compel the 
full disclosure of materials and items that are being transferred within, through and 
across our borders, on one’s person, in luggage, and in cargo — no matter what the 
nature of those materials and items are. 

We should have a viable mechanism that requires — not requests — that informa- 
tion be provided when citizen concern about activities they note reaches a level of 
compelling reaction. In this age we cannot sit idly by and not report that which 
seems to us to be suspicious or illegal, especially in the context of homeland security 
and homeland defense. Conversely we should not tolerate reports of a frivolous na- 
ture, or those based solely on contentious relationships and interpersonal disagree- 
ments. 

Finally, we should protect large gatherings and public venues with appropriate 
sensory technologies and dependable observation. Surely the answer, in the after- 
math of a future terrorist event, cannot be that we failed to secure a specific place 
or condition because of privacy concerns. 

In many cases this set of personal beliefs and views on my part — my “opinions” 
if you will — are hardly new or revolutionary. They are — in my view — basic and evo- 
lutionary. They form the foundation for a set of laws and procedures that will pro- 
tect the rights of our residents, our citizens and will help to protect and secure our 
Republic. I do not advocate excessive restriction nor do I advocate trampling on the 
rights of our people. Rather I counsel that we should find a set of laws and proce- 
dures that meet our needs — in the context of demonstrated threats and future condi- 
tions we can anticipate — and put those laws and procedures into force. 

I know this is difficult to do. I also recognize the highly politicized environment 
in which we are interacting today. As a fellow citizen I simply hope for some balance 
between doing that which is right and necessary to protect our people and property 
on our own soil, and not doing that which violates the expectation of privacy and 
personal freedom that each person is entitled to under the law. 

My goal is to secure a peaceful and safe progressive existence for our nation. 

Mr. Simmons. I thank all three witnesses for their excellent testi- 
mony. 

And I think, General Hughes, you stated very explicitly the co- 
nundrum that we face as Americans on the one hand, providing for 
common defense is an essential responsibility of the federal govern- 
ment. The Preamble to the Constitution also says that we must es- 
tablish justice. The First and Fourth Amendment rights are clear 
to all of us. And so in a situation where we are involved with 
threats, yes, we want to collect actionable intelligence, but at the 
same time, we don’t want to violate the rights of innocent citizens. 
And so this is the challenge of the balancing act. 
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Now, General Hughes, you served as the heart of I&A, Intel- 
ligence and Analysis in the Department of Homeland Security. Is 
that correct? That is my recollection. Different name. 

General Hughes. The same office but a different name. 

Mr. Simmons. Yes. 

General Hughes. The office has been enhanced by greater inde- 
pendence. 

Mr. Simmons. It would seem to me that in your capacity as head 
of that, the Intelligence and Analysis Office, you would receive in- 
telligence products from other agencies — the CIA, the National Se- 
curity Agency, Defense Intelligence Agency, NRO, et cetera, et 
cetera. You would receive those products. Presumably, you would 
receive them in a timely fashion. 

If you looked at a particular intelligence product, would you 
know how the information was collected that went into that prod- 
uct? 

General Hughes. Usually, I would know how the information 
was collected. In many cases, that collection mechanism would be 
classified in order to protect its viability. But generally speaking — 
in fact, sitting here trying to think about an exception to thaC I 
can’t think of one. So generally, I would know even in the most 
sensitive cases how it was collected. 

Mr. Simmons. And would you make a reasonable assumption 
that it was collected in accordance with the law? 

General Hughes. Yes, I would. I do think the use of the term 
law is important to me, and I would certainly defer to a more ex- 
pert person, but the term law must be accompanied, I think, by the 
term interpretation and procedure. Many of the activities carried 
out by the government and by law enforcement organizations and 
intelligence organizations are found in the larger construct of the 
law that are devolved, some would say evolved, into procedure, pol- 
icy and activity that can be interpreted differently by different per- 
sons. That has been a problem as long as our republic has been in 
existence, I think. 

I think we all seek to do the right thing and we seek to do it 
legally. There are occasions, I think, when different interpretations 
are very valuable, because they point out the tensions between 
what one group or one administration or one organization might 
view as being correct to do and what another person or group 
might do as being incorrect. But the law itself is generally a larger 
body of knowledge that is interpreted by others, and policy and pro- 
cedures put into effect on that basis. That makes it — I will use this 
term — problematic . 

Mr. Simmons. As a military officer and as a federal official sworn 
by your oath of office to uphold the constitutional laws of the 
United States of America, if, in your capacity as head of a INA or 
its predecessor, it came to your attention that there might be a pri- 
vacy issue, a violation of privacy involving some of the information 
in your possession, would you report that, or would you just keep 
it to yourself? 

General Hughes. Well, in fact, that very event happened, espe- 
cially as we formed the Department of Homeland Security. There 
were questions of the right to privacy by citizens and the right to 
protection under the privacy laws of the information that we held 
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in our files. And you had to take each case on its own merits and 
determine within the procedure and policy at the time in the con- 
text of law how you would handle that information. 

In some cases, the information was easy to expunge. It was very 
rapidly obvious in the eyes of persons with good judgment, our 
legal authorities and our privacy office that it should be expunged, 
and it was. 

In other cases where there is a belief that a conspiracy exists and 
a person is a participant in it to conduct an act of terrorism or an- 
other crime of homeland security implications, the deliberate deci- 
sion had to be made to retain that information and use it, and I 
think that, personally, in my own view, it is true but difficult to 
deal with that some of the information from some of the people con- 
cern citizens and residents of the United States. 

I mean, I think every day you read about these events in the 
newspaper, and they seem to me to be covered adequately by law. 
It is against the law to plan to commit a crime at some point, and 
certainly to commit a crime. And it is especially against the law in 
the context of protecting the citizens’ rights in this era we now live 
in of the potential for mass effects from such activities. I am not 
saying that the law needs to be changed, I am saying that we need 
to understand this in the context in which we are dealing with it. 

Mr. Simmons. I hear your testimony to be that, for you, this was 
a serious issue and something that you and your office took seri- 
ously. 

General Hughes. And I had the direct legal counsel available in 
my office at all times and a direct connection to the Privacy Office, 
and I can assure you, and I would certainly be happy to do so 
under oath, that we not only took it seriously, we practiced it seri- 
ously. 

Mr. Simmons. I thank you. My time is expired. 

The distinguished ranking member of the full committee, Mr. 
Thompson, from Mississippi. 

Mr. Thompson. Thank you very much, Mr. Chairman. 

I am not sure if I am — I am a little troubled by what you said, 
Mr. Hughes. Was this information gained that you considered 
gained legally or illegally? 

General Hughes. I certainly might hope that in every case, it 
was gained legally, but once again, the interpretation of the law 
and the interpretation of policy and procedure to some degree has 
to rest in the eyes of the beholder until a determination is made 
by legally constituted authority. In searching my memory here this 
morning, I can’t recall a single case where I ever believed it was 
gained illegally. However, I think once again one has to understand 
the modern environment in order to deal with this question. 

Mr. Thompson. We understand the environment. 

General Hughes. Okay. 

Mr. Thompson. Believe me. The question, though, is, notwith- 
standing the environment, there are some privacy considerations 
that have to be maintained. 

General Hughes. And I believe they were. 

Mr. Thompson. Well, I guess I will — Mr. Turley, under the 
present scenario of wiretapping private citizens and not going 
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through any procedure, is it your belief that that process at this 
point is in fact illegal? 

Mr. Turley. I absolutely believe that. And I don’t have a scin- 
tilla of doubt. And if you look back at pass testimony I have given 
to both the House and Senate — I have been called by Democrats 
and Republicans, and I have always expressed when I considered 
something to be a close call. 

This is not a close call. This here is an exclusivity provision 
under federal law. You have to do domestic surveillance no matter 
how you may frame it. This has always been viewed as domestic 
surveillance what was being done by the NS A. And you have to do 
it under either FISA or Title 3. You have to do it under that type 
of statutory authority. This was created to go around that. It was 
a direct violation of the exclusivity provision. And until the NSA 
operation, I don’t remember hearing anyone having any doubt 
about any of those questions. 

And that means that we have a very serious issue, because the 
president stood in front of Congress during the State of Union and 
said that not only had he ordered this 30 times, but he would con- 
tinue to do so until, basically, someone stopped him. 

And what was most astonishing is that members stood up and 
gave him a standing ovation. It was one of the most bizarre things 
I have ever seen as an academic. Members of Congress who pass 
these laws had a president who told them that he was not going 
to comply with those laws, and they give him a standing ovation. 

Now, the framers — I have to tell you, we all sort of speak for the 
framers as if we are in some type of carni show. 

[Laughter.] 

But I think it is safe to say that the framers did not think it was 
going to happen this way, that they believed that Congress would 
have an institutional interest that it would protect, that regardless 
of their affiliation to the president, that they would fight to protect 
the legislative authority of this body. This is the most central and 
direct threat to the legislative branch’s inherent authority that I 
have certainly seen in my lifetime. 

Mr. Thompson. Mr. Herath, you mentioned some things that we 
could do to strengthen the Privacy Office. I talked about some 
things like subpoena power, initiate investigations, and I would 
think that in order to do your job, you need the tools necessary. 
Where do you come down on that issue? 

Mr. Herath. Well, Mr. Thompson, I agree that the subpoena 
power and investigatory power in a formal sense is necessary. That 
probably was part and parcel of my recommendation of the statu- 
tory authority. 

I think, however, and I am speaking on behalf of the Privacy Of- 
fice. I am not speaking on behalf of the Privacy Office. I am speak- 
ing on behalf of me. But I think that would probably be the last 
thing you would want to do as a privacy official. The first step, as 
Ms. Cooney described, you try do it, you know, informally through 
relationships. 

If you have created a culture that is receptive to your privacy re- 
quests, I would say the vast majority, if not 99 percent, of your re- 
quest are going to be complied with. However, I think that there 
does need to be, for those special occasions where you simply in 
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many cases know that whoever it is you are asking is not forth- 
coming, I think you do need to have sort of that final hammer with 
the subpoena. 

Mr. Thompson. Or if that person that is withholding the infor- 
mation knows that you have subpoena authority. 

Mr. Herath. Correct. 

Mr. Thompson. And, you know, it is just a matter of time that 
they will pull that trigger. 

Mr. Herath. Well, yes, I often say, you know, you have got to 
have skin in the game. If there is no formal ramification for with- 
holding evidence, then there is a greater chance that will be with- 
held. 

Mr. Thompson. Thank you. 

I yield back, Mr. Chairman. 

Mr. Simmons. I thank the gentleman. Would the gentleman like 
to go a second round? 

Mr. Turley. One more. 

Mr. Simmons. Okay. 

Mr. Turley, thank you for your testimony. I was looking on page 
five, where you made the statement, “The NSA operation was 
never approved by Congress.” And again, while the jurisdiction for 
this program resides with the House and Senate Intelligence Com- 
mittees, in my opinion, I have always been troubled by the discus- 
sion of this program. 

The ranking member of the House Intelligence Committee has 
said publicly that the NSA program was essential to targeting al- 
Qa’ida, and she made the statement as the ranking Democrat on 
the House Intelligence Committee, “I have been briefed since 2003 
on a highly classified NSA foreign collection program that targeted 
al-Qa’ida. I believe the program is essential to U.S. national secu- 
rity and that its disclosure has damaged critical intelligence capa- 
bilities.” 

As somebody who served many years ago on this Senate Intel- 
ligence Committee, I was always puzzled by why senior members 
of these oversight committees did not, on the one hand, place the 
program into the law or alternatively legislate the program out of 
the law, or I should say legislate it to cease. I don’t believe either 
one of those actions took place. 

And I have also been concerned that through the routine author- 
ization and appropriation process of the Congress over the years es- 
sentially dollars were authorized and appropriated for the National 
Security Agency to continue to perform that program. Now that 
takes me back to the mid-1980s when there was a covert action 
directed against Nicaragua. It involved the Contras and the San- 
danistas, and, in fact, the Boland Amendment did explicitly termi- 
nate that program in 1984. 

Do you have any thoughts, or do any of the members have any 
thoughts as to what might have been done back in 2003 that would 
have perhaps better dealt with this issue. 

Mr. Turley. I suppose my first answer is I believe that the rank- 
ing Democratic member on the committee also mentioned that she 
didn’t feel that she was able, because of the restrictions, to seek out 
advice of experts as to whether this was lawful under FISA, and 
that it was not until this matter became public that she concluded 
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that, indeed, there were legal issues. She was looking at it purely 
from an operational standpoint. 

The second response is that I am still not sure why this oper- 
ation was not disclosed to the full membership of those committees. 
My understanding is that it is only covert operations that are re- 
trained to the smaller group. This would not constitute, as far as 
I know, that type of a covert operation. The surveillance program 
has generally been viewed as something that goes to the member- 
ship. 

The third answer is that an appropriation of money has never 
been considered by the courts as any form of authorization. Under 
1809, the authorization would have to be a specific authorization 
to give essentially a third track if you are not going to put it under 
FISA or Title 3. 

And then, finally, my last response is, I am not too sure that you 
could put what was the NSA operation in the federal law without 
it being struck down. I mean, I think there is serious constitutional 
questions. 

But I also believe, as someone who has practiced — I have been 
in the FISA court as a young intern at NSA, and I have been coun- 
sel in FISA cases, and I still don’t understand why there was a 
need to go outside of FISA. FISA is the most user-friendly law ever 
created for a president. And so I still am not convinced about the 
need to circumvent the law. 

Mr. Simmons. I appreciate that response. 

I vaguely recall the Senate Resolution 400 required that the com- 
mittee be kept fully and currently informed. That certainly applied 
to the Senate, maybe not to the House. 

My recollection is that there were various compartments that in- 
volved covert action and other activities, but that in my experience, 
when a controversial program was briefed to the committees and 
to the leadership, if it existed for more than a year, it was handled 
within the oversight process. So perhaps this is an issue for over- 
sight of those committees. 

And I recognize the gentleman from Mississippi. 

Mr. Thompson. Thank you very much, Mr. Chairman. 

I would like to respectfully disagree on some of the jurisdictional 
issues that have come before us today. I think all of us, including 
yourself, want to give the tools necessary for law enforcement to do 
the job, but in collecting data, we want to make sure that those pri- 
vacy and civil liberties issues are protected. 

And if, in fact, the information gained is then transmitted, that 
is gained illegally and transmitted to any organization, and they 
began the process. That pause in intelligence creates a real prob- 
lem, whether it is DHS. If I am a citizen, and I am all of a sudden 
on some kind of list that was, for whatever reason, put on that list 
through intelligence illegally gained, you know, I have a problem. 

And I think all of us want to create a process that protect the 
rights of citizens, protect the individual liberties, but also keep 
America strong. I agree with Mr. Hughes, these are difficult times, 
but we have to make more than just an average effort to protect 
the rights of citizens. It has to be an enhanced effort, a work in 
progress. 
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There is legislation on the books that talks about sharing intel- 
ligence, talks about a number of things that I think gives us sig- 
nificant jurisdiction authority to look at these things. Facts about 
it, we passed the law requiring the sharing of information between 
agencies because it was not taking place. I want us to be cognizant 
of that. 

The other issue is, and I will sort of make closing comments at 
this point if you like rather than giving questions. You know to the 
extent that we can strengthen whistle blower protections for citi- 
zens who have concerns and employees. We need to put that into 
place. We need to dispense laws on data mining and data sharing 
by agencies. You just can’t go get the information and throw it out 
there for review without the protection of citizens. 

I have talked about the subpoena power that we all kind of agree 
that you really can’t do your job effectively unless you have that. 

I must also say, Mr. Chairman, I am concerned that because we 
don’t have it, the Privacy Office is using the leadership or the sec- 
retary or some friendly persuasion rather than having the inherent 
authority in that office to get it done. Whether they have to exer- 
cise it or not, we need to have it in place. This is a critical issue 
for all of us. 

One of the strengths of our country and many of the things our 
founding fathers put together was the interest in seeking certain 
freedoms, and I would not want us under the color of intelligence 
or any other statute limit many of those freedoms for the citizens 
who operate within the law. 

The law should protect them, and I look forward to continuing 
the discussion along this line, Mr. Chairman, and coming up with, 
not only a robust system that protects us all, but also, on the other 
hand, a system that protects the individual rights and liberties of 
American citizens. 

And I yield back. 

Mr. Simmons. I thank the gentleman for his comments, and 
thank him very much for his participation in this hearing this 
morning. 

I think these issues are incredibly important, and I think they 
are also incredibly difficult. I am haunted by what I read in the 
9/11 Commission report. I am reminded constantly that 12 of my 
constituents died on that day. And I recall regularly that my 
daughter was living in New York City a few blocks from the World 
Trade Center in an area that she could not return to because of the 
damage and destruction that two of her roommates and best 
friends from childhood were killed on that day. And I struggle with 
the balance between liberty and security. 

Could we have listened to the phone conversation of Mohammad 
Atta? Could we have prevented that if we had done things dif- 
ferently? And as we work to bring about the changes to how we 
provide our Homeland Security for the safety of our citizens, are 
we protecting the liberties that make this country what it is and 
what we want it to be, not just for ourselves but for our children 
and future generations? 

This is a solemn responsibility and a difficult challenge where, 
I believe, all of us have to work together to come up with a solu- 
tion. And we won’t solve it today or tomorrow. We will solve it 
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through a process of discussion and debate and hearing just as we 
have today. 

I thank the panel for coming, and I thank the ranking member. 
The hearing is adjourned. 

[Whereupon, at 10:49 a.m., the subcommittee was adjourned.] 
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Wednesday, May 10, 2006 

U.S. House of Representatives, 

Subcommittee on Intelligence, Information 
Sharing, and errorism Risk Assessment, 

Committee on Homeland Security, 

Washington, DC. 

The subcommittee met, pursuant to call, at 4:03 p.m., in Room 
311, Cannon House Office Building, Hon. Rob Simmons [chairman 
of the subcommittee] presiding. 

Present: Representatives Simmons and Lofgren. 

Mr. Simmons. [Presiding.] The Homeland Security Committee, 
and Subcommittee on Intelligence, Information Sharing, and Ter- 
rorism Risk Assessment will come to order. 

We are meeting today at the request of the minority members of 
the subcommittee under House Rule 11 to receive testimony from 
a witness of the minority’s choosing for one additional day on the 
subject of protection of privacy in the Department of Homeland Se- 
curity intelligence enterprise. 

The majority extended invitations to every witness that the mi- 
nority requested, and I personally called the primary witness. Dean 
Parker, to secure her testimony today. 

Unfortunately, none of the minority witnesses were able to at- 
tend. But, as I have expressed to my friend and colleague from 
California, I will continue in this effort. 

Ms. Lofgren. Mr. Chairman, I appreciate that offer of collabora- 
tion. 

And as we discussed briefly early today. Dean Parker has not 
been able to attend. And I think, since she doesn’t have current 
knowledge, we will continue to pursue the other three witnesses 
which you have written to. And I look forward to working with you 
in securing their attendance and learning what we can. 

So, at this point, I would concur that this hearing ought to be 
called to a halt — or gavelled to a halt. And we will see either those 
three witnesses or their representatives who can speak knowledge- 
ably for them at a future date. 

And I thank you for your courtesy. 

Mr. Simmons. I thank the ranking member for her comments. I 
concur in her assessment of the situation. 

Having no witnesses, the subcommittee stands adjourned. 

[Whereupon, at 4:04 p.m., the subcommittee was adjourned.] 
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